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Abstract. We propose the concept of adaptable processes as a way of overcoming the 
limitations that process calculi have for describing patterns of dynamic process evolution. 
Such patterns rely on direct ways of controlling the behavior and location of running 
processes, and so they are at the heart of the adaptation capabilities present in many 
modern concurrent systems. Adaptable processes have a location and are sensible to 
actions of dynamic update at runtime; this allows to express a wide range of evolvability 
patterns for concurrent processes. We introduce a core calculus of adaptable processes 
and propose two verification problems for them: bounded and eventual adaptation. While 
the former ensures that the number of consecutive erroneous states that can be traversed 
during a computation is bound by some given number k, the latter ensures that if the 
system enters into a state with errors then a state without errors will be eventually reached. 
We study the (un)decidability of these two problems in several variants of the calculus, 
which result from considering dynamic and static topologies of adaptable processes as 
well as different evolvability patterns. Rather than a specification language, our calculus 
intends to be a basis for investigating the fundamental properties of evolvable processes 
and for developing richer languages with evolvability capabilities. 



Process calculi aim at describing formally the behavior of concurrent systems. A leading 
motivation in the development of process calculi has been properly capturing the dynamic 
character of concurrent behavior. In fact, much of the success of the vr-calculus [36] can be 
fairly attributed to the way it departs from CCS [l5] so as to describe mobile systems in 
which communication topologies can change dynamically. Subsequent developments can be 
explained similarly. For instance, the Ambient calculus [20] builds on 7r-calculus mobility 
to describe the dynamics of interaction within boundaries and hierarchies, as required in 
distributed systems. A commonality in these calculi is that the dynamic behavior of a 
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system is realized through a number of local changes, usually formalized by reduction steps. 
Indeed, while in the 7r-calculus mobility is enforced by the reconfiguration of individual 
linkages in the communication topology, in the Ambient calculus spatial mobility is obtained 
by individual modifications to the containment relations within the ambient hierarchy. This 
way, the combined effect of a series of changes at a local level (links, containment relations) 
suffices to explain dynamic behavior at the global (system) level. 

There arc, however, interesting forms of dynamic behavior that cannot be satisfactorily 
described as a combination of local changes, in the above sense. These are behavioral pat- 
terns which concern change at the process level (i.e., the process as a whole), and describe 
process evolution along time. In general, forms of process cvolvability are characterized by 
an enhanced control/awareness over the current behavior and location of running processes. 
Crucially, this increased control is central to the adaptation capabilities by which processes 
modify their behavior in response to exceptional circumstances in their environment. As a 
simple example, consider a scheduler in an operating system which manages the execution 
of a set of processes. To specify the behavior of the scheduler, the processes, and their 
evolution, we would need mechanisms for direct process manipulation, which appear hard 
to represent in calculi enforcing local changes only. More precisely, it is not clear at all 
how to represent the intermittent evolution of a process under the scheduler's control: that 
is, precise ways of describing that its behavior "disappears" (when the scheduler suspends 
the process) and "appears" (when the scheduler resumes the process). Emerging applica- 
tions and programming paradigms provide challenging examples of evolvable processes. In 
workflow applications, we would like to be able to replace a running activity, suspend the 
execution of a set of activities, or even suspend and relocate the whole workflow. Similarly, 
in component-based systems we would like to reconfigure parts of a component, a whole 
component, or groups of components. Also, we would like to specify the context-aware 
policies that dynamically adapt the computational power of cloud computing applications. 
At the heart of these applications we find forms of process evolution and adaptation which 
appear very diflicult (if not impossible) to express in existing process calculi. 

A Core Calculus of Adaptable Processes. In an attempt to address these shortcom- 
ings, this paper introduces the concept of adaptable processes. Adaptable processes have a 
location and are sensible to actions of dynamic update at runtime. While locations arc use- 
ful to designate and structure processes into hierarchies, dynamic update actions implement 
a sort of built-in adaptation mechanism. We illustrate this novel concept by introducing £ , 
a core process calculus of adaptable processes. The £ calculus arises as a variant of CCS 
without restriction and relabeling, and extended with primitive notions of location and dy- 
namic update. In £, a[P] denotes the adaptable process P located at a. Name a acts as a 
transparent locality: P can evolve on its own but also interact freely with its environment. 
Localities can be nested, and are sensible to interactions with update prefixes. An update 
prefix a{U} decrees the update of the adaptable process at a with the behavior defined by 
U, a context with zero or more holes, denoted by •. The evolution of a[P] is realized by its 
interaction with the update prefix a{U}, which leads to the process obtained by replacing 
every hole • in [/ by P, denoted U {{P)). 

We consider several variants of £, obtained via two orthogonal characterizations. The 
first one is structural, and defines static and dynamic topologies of adaptable processes. In a 
static topology, the number of adaptable processes does not vary along the evolution of the 
system: they cannot be destroyed nor new ones can appear. In contrast, in the more general 
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dynamic topology this restriction is lifted. We will use the subscripts s and d to denote the 
variants of £ with static and dynamic topologies, respectively. The second characterization 
is behavioral, and concerns update patterns — the context U in an update prefix a{U}. As 
hinted at above, update patterns determine the behavior of running processes after an 
update action. In order to account for different evolvability patterns, we consider three 
kinds of update patterns, which determine three families of £ calculi — denoted by the 
superscripts 1, 2, and 3, respectively. The first update pattern admits all kinds of contexts, 
and so it represents the most expressive form of update. In particular, holes • can appear 
behind prefixes. The second update pattern forbids such guarded holes in contexts. In the 
third update pattern we further require contexts to have exactly one hole, thus preserving 
the current behavior (and possibly adding new behaviors): this is the most restrictive form 
of update. 

In our view, these variants capture a fairly ample spectrum of scenarios that arise in 
the joint analysis of correctness and adaptation concerns in evolvable systems. They borrow 
inspiration from existing programming languages, development frameworks, and component 
models. The structural characterization follows the premise that while it is appealing to 
define the runtime evolution of the structures underlying aggregations of behaviors, in some 
scenarios it is also sensible to specify evolution and adaptation preserving such structures. 
For instance, we would like software updates to preserve the main architecture of our operat- 
ing system; conversely, an operating system could be designed to disallow runtime updates 
that alter its basic organization in dangerous ways. A static topology is also consistent 
with settings in which adaptable processes represent located resources, whose creation is 
disallowed or comes with a cost (as in cloud computing scenarios). The behavioral char- 
acterization is inspired in the (restricted) forms of reconfiguration and/or update available 
in component models in which evolvability is specified in terms of patterns, such as SOFA 
2 ^34j . Update patterns are also related to functionalities present in programming languages 
such as Erlang [U [7] and in development frameworks such as the Windows Workfiow Foun- 
dation (WWF) [33]. In fact, forms of dynamic update behavior for workflow services in the 
WWF include the possibility of replacing and removing service contracts (analogous to our 
first and second update patterns) and also the addition of new service contracts and oper- 
ations (as in our third update pattern, which preserves existing behavior and operations). 

Verification of Adaptable Processes. Rather than a specification language, the £ calcu- 
lus intends to be a basis for investigating the fundamental properties of evolvable processes. 
In this presentation, we study two verification problems associated to £ processes and their 
(un) decidability. They are defined in terms of standard observability predicates (barbs), 
which indicate the presence of a designated error signal. We thus distinguish between cor- 
rect states (i.e., states in which no error barbs are observable) and error states (i.e., states 
exhibiting error barbs). The first verification problem, bounded adaptation (abbreviated 
BA) ensures that, given a finite k, at most k consecutive error states can arise in computa- 
tions of the system — including those reachable as a result of dynamic updates. The second 
one, eventual adaptation (abbreviated EA), is similar but weaker: it ensures that if the 
system enters into an error state then it will eventually reach a correct state. We believe 
that BA and EA fit well in the kind of correctness analysis that is required in a number of 
emerging applications. For instance, on the provider side of a cloud computing application, 
these properties allow to check whether a client is able to assemble faulty systems via the 
aggregation of the provided services and the possible subsequent updates. On the client 
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8^ - Dynamic Topology 



£g - Static Topology 



BA undec / EA undec 



BA undec / EA undec 



BA dec / EA undec 



BA dec / EA undec 



BA dec / EA undec 



BA dec / EA dec 



Table 1: Summary of (un) decidability results for dialects of 8. 



side, it is possible to carry out forms of traceability analysis, so as to prove that if the system 
exhibits an incorrect behavior, then it follows from a bug in the provider's infrastructure 
and not from the initial aggregation and dynamic updates provided by the client. 

In addition to error occurrence, the correctness of adaptable processes must consider 
the fact that the number of modifications (i.e. update actions) that can be applied to the 
system is typically unknown. For this reason, we consider BA and EA in conjunction with 
the notion of cluster of adaptable processes. Given a system P and a set M of possible 
updates that can be applied to it at runtime, its associated cluster considers P together 
with an arbitrary number of instances of the updates in M. This way, a cluster formalizes 
adaptation and correctness properties of an initial system configuration (represented by an 
aggregation of adaptable processes) in the presence of arbitrarily many sources of update 
actions. For instance, in a cloud computing scenario the notion of cluster captures the cloud 
application as initially deployed by the client along with the options offered by the provider 
for its evolution at runtime. 

Contributions. The main technical results of the paper are summarized in Table [TJ The 
calculus £^ is shown to be Turing complete, and both BA and EA are shown to be undecidable 
for £^ processes. The Turing completeness of£^ says much on the expressive power of update 
actions. In fact, it is known that fragments of CCS without restriction can be translated 
into finite Petri nets (see, e.g., the discussion in |17]). and so they are not Turing complete. 
Update actions in £ thus allow to "jump" from finite Petri nets to a Turing complete model. 
We then show that in £^ BA is decidable, while EA remains undecidable. Interestingly, EA 
is already undecidable in £^, while it is decidable in £g. 

We now comment on the proof techniques. The decidability of EA in £^ is proved by 
resorting to Petri nets: EA is reduced to a problem on Petri nets that we call infinite visits 
which, in turn, can be reduced to place boundedness — a decidable problem for Petri nets. 
For the decidability of BA we appeal to the theory of well-structured transition systems 
[30l |2] and its associated results. In our case, such a theory must be coupled with Kruskal's 
theorem [39] (which allows to deal with terms whose syntactical tree structure has an un- 
bounded depth), and with the calculation of the predecessors of target terms in the context 
of trees with unbounded depth (which is necessary in order to deal with arbitrary aggrega- 
tions and dynamic updates that may generate new adaptable processes). This combination 
of techniques proved to be very challenging. In particular, the technique is more complex 
than the one given in [3j, which relies on a bound on the depth of trees, or the one in [63j, 
where only topologies with bounded paths are taken into account. Kruskal's theorem is also 
used in [T7] for studying the decidability properties of calculi with exceptions and compen- 
sations. The calculi considered in jl7J are first-order; in contrast, £ can be considered as a 
higher-order process calculus (see Section [o]). 
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The undecidability results are obtained via encodings of Minsky machines |47j , a well- 
known Turing complete model. In particular, the encodings that we provide for showing 
undecidability of EA in £^ and £^ do not reproduce faithfully the corresponding machine, 
but only finitely many steps are wrongly simulated. Similar techniques have been used to 
prove the undecidability of repeated coverability in reset Petri nets [28j , but in our case their 
application revealed much more complex; this is particularly true for the case of iSj where 
there is no native mechanism for removing an arbitrary amount of processes. Moreover, 
as in a cluster there is no a-priori knowledge of the number of modifications that will be 
applied to the system, we need to perform a parametric analysis. Parametric verification 
has been studied, e.g., in the context of broadcast protocols in both fully connected [29] 
and ad- hoc networks [26] . Differently from |29l [26] , in which the number of nodes (or the 
topology) of the network is unknown, we consider systems in which there is a known part 
(the initial system P) , and there is another part composed of an unknown number of process 
instances (taken from M, the set of possible modifications). 

Summing up, in the present paper we make the following contributions: 

(1) We introduce £ , a core calculus of adaptable processes. £ allows to express a wide range 
of patterns of process evolution and runtime adaptation. By means of structural and 
behavioral characterizations, we identify different meaningful variants of the language. 
We are not aware of other process calculi tailored to the joint representation of evolution 
and adaptation concerns in concurrent systems. 

(2) We introduce bounded and eventual adaptation — two correctness properties for adapt- 
able processes — and study their (un) decidability in each of the variants of £ . We do so 
by considering systems as part of clusters which define their evolvability along time. To 
the best of our knowledge, ours is the first study of the (un) decidability of adaptation 
properties for dynamically evolvable processes. 

This paper is an extended, revised version of the conference paper [14j . In addition to 
provide full details of the technical results, here we thoroughly develop the structural and 
behavioral characterizations of adaptable processes. This way, we present a unified treat- 
ment of the distinction between the static and dynamic topologies of adaptable processes, 
as well as of the three different update patterns. These ideas were treated only partially 
in [14] . where the family £'^ was called £~ . In particular, new results not presented in [14] 



include the relationship between static and dynamic t opo logies (Section 2.3) and the decid- 
ability of EA in £g by resorting to Petri nets (Section 5.3). Moreover, several examples and 



extended discussions are included. Section 9.1 is based on the short paper [15 



Structure of the document. The rest of this paper is structured as follows. The £ calcu- 
lus, its different variants, and several associated results are presented in Section [2} The two 
verification problems are defined in Section [3j Section [4] presents extended examples of mod- 
eling in iS, in several emerging applications. Section [5] collects basic definitions and results 
on Minsky machines, well-structured transition systems, and Petri nets. (Un) decidability 
results for £'^ , £'^, and £^ are detailed in Sections [6|[7| andjsj respectively. Section |9] presents 
some additional discussions, and reviews some related works. Section [T0| concludes. While 
proofs of the main results are included in the main text, technical details for some other 
results (most notably, correctness proofs for the encodings) are collected in the Appendix. 
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2. A Calculus of Adaptable Processes 



We begin by presenting the E calculus and its different variants. Then, we introduce the 
operational semantics of the calculus, and establish the relationship between static and 
dynamic topologies of adaptable processes. 



2.1. Syntax. The E calculus is a variant of CCS [45j without restriction and relabeling, and 
extended with constructs for evolvability. As in CCS, in E processes can perform actions 
or synchronize on them. We presuppose a countable set M of names, ranged over by a, 6, 
possibly decorated as a, 6 . . . and 5,6.... As customary, we use a and a to denote atomic 
input and output actions, respectively. The syntax of E processes extends that of CCS with 
primitive notions of adaptable processes a[P] and update prefixes a{U}: 

P::=a[P] | P || P | ^ vri. Pi | Itt. P tt ::= a \ a \ a{U} 

Above, the U in the update prefix a{U} is an update pattern: it represents a context, i.e.. 



a process with zero or more holes (see Definition 2.1 below). The intention is that when 
an update prefix is able to interact, the current state of an adaptable process named a is 
used to fill the holes in the update pattern U. Given a process P, process a[P] denotes the 
adaptable process P located at a. Notice that a acts as a transparent locality: process P can 
evolve on its own, and interact freely with external processes. Localities can be nested, so as 
to form suitable hierarchies of adaptable processes. The rest of the syntax follows standard 
lines. A process vr. P performs prefix vr and then behaves as P. Parallel composition P || Q 
decrees the concurrent execution of P and Q. We abbreviate Pi || • • • || P„ as Yli=i Pii 
and use P to denote the parallel composition of k instances of process P. Given an 
index set / = {l,..,n}, the guarded sum X^jg/VTj.Pj represents an exclusive choice over 
TTi. Pi, . . . , 7r„. Pn- As usual, we write vri. Pi + 7r2. P2 if |/| = 2, and if I is empty. Process 
Itt. P defines guarded replication, i.e., infinitely many occurrences of P in parallel, which 
are triggered by prefix vr. 

We now define a general way of extending the grammar of process languages with 
holes, so as to define update patterns. Intuitively, we extend rule productions with a 
hole (denoted •), distinguishing between rule productions for process expressions (so-called 
process categories) from the rest. In particular, we would like to avoid adding holes to rule 
productions for prefixes (i.e., productions for vr in the syntax). 

Definition 2.1. Given a process category E, we denote with E, the process category with 
rule productions obtained from those of E by: 

(1) adding a new rule "i?, ::= •"; 

(2) replacing every rule "i? ::= term" of E with a rule "i?, ::= term," , where ^^term," is 
obtained from Herm" by syntactically replacing all process categories F occurring in 
"term" by P.. 

Given an update pattern U and a process Q, we define U{{Q)) as the process obtained by 
filling in those holes in U not occurring inside update prefixes with Q. 
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Definition 2.2. The effect of replacing the holes in an update pattern U with a process 
Q, denoted U{{Q)), is defined inductively on U as follows: 

• m = Q (Ui II U2)m = ui m w m) 



a[U]{{Q)) = a[U{{Q))] (^^i. {{Q)) = Y.^i. {{Q)) 

{\n.U){{Q)) = \n.{U{{Q))) 
This way, {•} can be intuitively seen as a scope delimiter for holes • in a{U}. Indeed, it 



is worth observing that Definition 2.2 does not replace holes inside prefixes; this ensures a 
consistent treatment of nested update actions. 

We now move on to consider different variants of this basic syntax by means of two 
different characterizations. 

2.1.1. A Structural Characterization of Update. As anticipated in the Introduction, our 
structural characterization of update in £ defines two families of languages, namely £ with 
dynamic topology (denoted and £ with static topology (denoted £g). Here, "dynamic" 
refers to the ability of creating and deleting new adaptable processes, something allowed in 
languages in £^ but not in those in £g. The definition of £^ and £g is parametric on update 
patterns U. 

Definition 2.3 (Dynamic £ - £^). The class of £ processes with dynamic topology {£^) is 
described by the following grammar: 

P::=a[P] | P || P | Ivr. P | ^ vr,. tt ::= a \ a \ a{U} 



where [/ ::= P,, as in Definition 2.1 



The definition of £g makes use of two distinct process categories: P and A. Intuitively, 
P correspond to processes defining the (static) topology of adaptable processes; these are 
populated by terms A, which do not include subprocesses of the kind a[Q]. 

Definition 2.4 (Static £ - £g). The class of £ processes with static topology (<5^) is de- 
scribed by the following grammar: 

P ::= a[P] \ P\\P \ A 

A ::= A\\A \ \tt.A \ vr ::= a | a \ a{a[U] \\ A} 



where the syntax U ::= P,, as in Definition 2.1, considering both P and A as process 
categories. 



Definition 2.4 relies on syntactic restrictions to ensure that the nesting structure of 
adaptable processes in £g remains invariant. The first restriction (i.e., no adaptable process 
is removed) is manifest in update prefixes, which are always of the form a[U] \\ A; this forces 
the recreation of the adaptable process a after every update, thus maintaining the static 
structure of adaptable processes invariant. For the same reason, holes can only occur inside 
the recreated adaptable process: this way, processes cannot be relocated outside a[U]. The 
second restriction (i.e., no adaptable process is created) appears in the definition of A, which 
decrees that no new adaptable processes occur behind a prefix. As we will discuss below, the 
operational semantics ensures that these syntactic restrictions are preserved along process 
execution. 
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Remark 2.5. Observe that every process is, from a syntactic point of view, also an 
£^ process. In fact, the update pattern U = a\U'] \\ A is a particular case of the possible 
update patterns for £^ processes. The correspondence between processes in 8^ and £^ from 



the point of view of their operational semantics will be made more precise by Lemma 2.18 



2.1.2. A Behavioral Characterization of Update. We now move on to consider three concrete 
instances of update patterns U and their associated variants of and E^. 

Definition 2.6 (Update Patterns). We shall consider the following three instances of up- 
date patterns for £^ and <?^: 

(1) Full £ {£^ and £l). The first update pattern admits all kinds of contexts for update 
prefixes, i.e., U ::= P,. These variants, corresponding to the above £^ and £g, are 
denoted also with £^ and £l, respectively. 

(2) Unguarded £ {£^ and £g). In the second update pattern, holes cannot occur in the 
scope of prefixes in U : 

U::=P I a[U] \ U\\U \ • 

The variants of iS^ and £g that adopt this update pattern are denoted <5j and £g, 
respectively. 

(3) Preserving £ {£^ and £g). In the third update pattern, the current state of the 
adaptable process is always preserved. Hence, it is only possible to add new adaptable 
processes and/or behaviors in parallel or to relocate it: 

U ::= a[U] \ U\\P \ • 

The variants of £^ and £g that adopt this update pattern are denoted £^ and £g, 
respectively. 



2.2. Semantics. The semantics of £ processes is given in terms of a Labeled Transition 
System (LTS). We introduce some auxiliary definitions first. 

Definition 2.7. Structural congruence is the smallest congruence relation generated by the 
following laws: P \\ Q = Q \\ P; P \\ {Q \\ R) = (P \\ Q) \\ R. 

Definition 2.8 (Normal Form). An £ process P is said to be in normal form iff 

m n 

P = \{P^\\\{aAP'^ 

i=i j=i 

where, for i € {1, ... , m}, Pi is not in the form Q \\ Q' or a[Q], and, for all j £ {1, . . . , n}, 
Pj is in normal form. Note that if m = then the normal form is simply P = 11^=1 ^il-^j]' 
similarly, if n = then the normal form is P = YlTLi Pi- 

Lemma 2.9. Every £ process is structurally congruent to a process in normal form. O 
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St{S) 



St{S) 



Figure 1: Containment structure denotation for P = Pi \\ b[P2] \\ a[P3 \\ c[S]] and R = Pi 



d[S], as in Example 2.11 



We now define the containment structure denotation of a process. Intuitively, it captures 
the tree-like structure induced by the nesting of adaptable processes. 

Definition 2.10 (Containment Structure). Let P = YYlLi Pi \\ YYj=i o-ji^'j] be an £ process 
in normal form. The containment structure denotation of P, denoted St(P), is built as 
follows. The root is labeled e, and has n children: the subtrees recursively built from 
processes P{, . . . , P^ with roots labeled ai, . . . , On (instead of e), respectively. When n = 1, 
we say that the containment structure St{P) is single-child. 

Example 2.11. Consider the processes P, Q, and R defined as 

P = Pi\\ b[P2] II a[P3 II c[S]] Q = a.P2 \\ ^[Ps] || a[c[S]] R = Pi \\ d[S] 

where Pi,P2,Ps do not contain adaptable processes. Then, P and Q have the same con- 
tainment structure denotation; it is depicted in Figure [l] (left). As for R, the containment 
structure denotation St{R), that is single-child, is depicted in Figure [T] (right). 

Given an update pattern U, the following two definitions on processes indicate the 
number of holes and adaptable processes which syntactically occur in U, respectively. In 
both cases, we do not consider occurrences inside nested update prefixes. 

Definition 2.12. Let U denote an £g update pattern or an £g process. The number of 
adaptable processes which occur in U, denoted \U\^p, is inductively defined as follows: 

I • lap = \Ui II [/2Lp = \Ui\,, + |C/2Lp |!vr. ^Lp = 

\a[U]l^ = l + \Ul^ lE^-^4p = 

Notice that in the above definition, as we are considering £g processes, the number of 
adaptable processes after a prefix is necessarily 0. 

Definition 2.13. Let U be an £g update pattern. The number of holes which occur in U, 
denoted |C/|,, is inductively defined as follows: 

|-I. = l |C^i II C^2|. = |^7i|. + |t/2|. |!vr.?7|. = |C/|. 

Hu]\, = \u\, lE^-^*l. = El^'l. 

The following auxiliary notation will be useful to formalize the properties of £g processes 
along reductions. 



(COMP) (Sum) ^ ^j^^p^^ 

is/ 

(Log) (AcTl) (TauI) 

P ^ P' Pi^P[ Pi P{ P2 ^ P2 

a[P] ^ a[P'] Pi II P2 ^ P[ II P2 Pi II P2 ^ P{ II P2 
(Tau3) 

Pi II P2 ^ p{{t/((Q))A} II p^ 

Figure 2: LTS for £g and (?^. Rules (Act2), (Tau2), and (Tau4) — the symmetric coun- 
terparts of (AcTl), (TauI), and (Tau3) — have been omitted. 

Definition 2.14. Let U be an 8^ update pattern. The number of prefixed holes occurring 
in U , denoted iC^lp^; is inductively defined as follows: 

I • Iph = |a[C/]|ph = |C/|ph |C/i II C/2|ph = If/ilph + |C^2|ph 

Example 2.15. Let P and U be an £g process and an £g update pattern defined as 

P = a[6[gi] II Pi] \\a{U}.P2 U = b.d{* \\ C/i}.0 || h[a.» \\ •] 
Then we have: 

. iPl.p = 2 + IQ1I3P + iPil^p + and |[/|3p = 1 
. |C/|. = 2and|C/|ph = l. 

We are now ready to define an LTS semantics for £^ and another one for Both LTSs 
are generated by the set of rules in Figure [2] they only differ on a condition associated to 
update actions. This is the content of the following definition. 

Definition 2.16 (LTS for 8^ and Given transition labels 

a ::= a | o | a[P] | a{U} \ r 

the LTS for denoted — is defined by the rules in Figure [2] in which, in rules (Tau3) 
and (Tau4), we decree cond(f7, (5)=true. 

Similarly, the LTS for Eg, denoted — is defined by the rules in Figure [2] in which, in 
rules (Tau3) and (Tau4), we decree that con6{U,Q) holds if we have: 

(1) St(a[Q]) = St(a[[/'((Q))] || A) where U = a[U'] \\ A, for some U\A, and 

(2) |C/|p, >0^|Q|3p = 0. 

Remark 2.17. The LTS for 8^ and 8^ are finitely branching. The proof proceeds by 
induction on the syntactic structure of terms; the base cases are Yli^i'^i- ^■ 

We give intuitions on both LTSs. In addition to the standard CCS actions (input, 
output, r), we consider two complementary actions for process update: a{U} and a[P]. 
The former represents the availability of an update pattern U for the adaptable process at 
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a; the latter expresses the fact that the adaptable process at o, with current state P, is 
ready to update. We often write instead of and -^.s', the actual LTS used in 

each case will be clear from the context. Similarly, we define — > as — 

In Figure [2] rule (COMP) represents the contribution of a process at a in an update 
operation; we use * to denote a unique placeholder. Rule (Loc) formalizes transparency 
of localities. Rules (Sum), (Repl), (ActI), and (TauI) are standard. Rule (Tau3) 
formalizes process evolvability. To realize the evolution of an adaptable process at a, it 
requires: (i) a process Q — which represents its current state; (ii) an update action offering 
an update pattern U for updating the process at a — which is represented in P[ by * (cf. rule 
(COMp)); (iii) that cond{U,Q) holds (cf. Definition 2.16| ). As a result, * in P[ is replaced 
with process U{{Q)) (cf. Definition |2.2[). 



It is useful to elaborate on the definition of cond(C/, Q) — the only point in which the 
LTS of £^ and that of £g differ. While cond(U,Q) does not have influence on the update 
actions of processes, it does ensure that the syntactic restrictions associated to pro- 



cesses are preserved along transitions. As specified in Definition 2.16 the condition for 
processes is given in two parts. The first part ensures that the current structure of nested 
adaptable processes — the containment structure denotation from a[Q] — is preserved once 
Q is substituted into ?7 as a result of the transition. The second part of the condition en- 
sures that no new adaptable processes will appear behind prefixes as a result of the update 
operation. Recall that by the syntactic restrictions enforced by Definition |2.4[ adaptable 
processes cannot occur behind prefixes. In fact, and using the terminology introduced in 
that definition, the syntax of £g decrees that only processes in process category A (which 
do not contain adaptable processes) can occur behind prefixes. The second part of the con- 
dition ensures precisely this. As a simple example, this part of the condition rules out the 
synchronization of adaptable process fe[a[0]] with update prefix b{b[a[b.»]]}.Q, as it would 
lead to the non static process 6[a[6. a[0]]] || Q. 

By considering the syntactic restrictions associated to £g processes, the following lemma 
characterizes the conditions under which cond(Uo, Q) holds for them. 

Lemma 2.18. Let Q and Uq = a[U] \\ A be an £g process and an update pattern, 
respectively. Also, let A be as in Definition \2.4\ We have 

St{a[Q]) = St{a[U{{Q))] \\ A) A {\U\^^^ > \Ql^ = 0) (2.1) 

if and only if one of the following holds: 

(0) |C/|, = OASt(Q) = St(?7). 

(1) |C/|. = 1 A iC/l^p = A (|C/|p, > ^ IQI^p = 0) 

(2) |C/|.>lA|C/|3p = 0A|Q|,p = 0. 

Proof. The "if" direction is straightforward by observing that by definition \A\^p = 0. 



Therefore, (2.1) reduces to 

St(Q) = St(C/((Q))) A (|C/|p, > IQI^p = 0) 
and the analysis focuses on the structure of U. Hence if = then immediately from (2.1 ) 



we have St(Q) = St(?7). If |f/|, = 1 then as St(Q) = St(C/((Q))) we have that \U\^p = 



and from the second part of (2.1) we conclude (|C^|pp, > ^ \Q\ap = 0)- Finally, if \U\^ > 1 
following from St(Q) = St{U([Qi)) we conclude \U\^p = and IQI^p = 0. 
As for the "only if direction, we consider each item separately: 
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• Item (0): Then Q occurs exactly once only at the left-hand side of the desired equality. 
Using the first part of the item (i.e., = 0) we infer that U{{Q)) = U. Since by 
definition \A\^p = 0, we have that the second part of the item (i.e., St((5) = St{U)) is 
enough to obtain St(a[(5]) = St(o[[/] || ^4), as wanted. 

• Item (1): Then Q occurs exactly once in both sides of the desired equality. The second 
part of the item (i.e., \U\^p = 0) guarantees that U{{Q)) does not involve any adaptable 
processes different from those in Q. The third condition ensures that no adaptable pro- 
cesses occur behind prefixes: if Q has adaptable processes then it should necessarily occur 
at the top level in U{{Q)). Hence, the thesis follows. 

• Item (2): Then Q occurs exactly once in the right-hand side of the equality, and arbitrarily 
many times in the left-hand side. The second part of the condition, on the number of 
adaptable processes in U, follows the same motivations as in the previous case. Given 
the possibility of arbitrarily many occurrences of Q in the left-hand side, the only option 
to ensure identical containment structure denotations in both sides is to forbid adaptable 
processes inside Q, hence the third part of the condition. □ 

The following lemma is standard: 

Lemma 2.19. Let P be an £ process. Structural congruence is preserved by reduction: if 
P = Q andP — > P' , then also Q — > Q' for some P' = Q' . □ 

The following lemma states that £g processes are closed under reduction. Hence, the 



operational semantics of £g preserves the syntactic conditions of Definition 2.4 



Lemma 2.20 (Static topologies are preserved by reduction). Let P be an process. If 
P — > P' then also P' is an 8^ process. Moreover, St(P) = St(P'). 



Proof. By induction on the derivation of P — > P' . See Appendix A.l, Page 52 O 



2.3. Prom Static to Dynamic Topologies. We have already remarked that from a syn- 
tactic point of view every 8^ process is also an 8^ process. As far as the operational semantics 
is concerned, an 8^ process could have less possible computations due to the additional con- 
straint cond(C/, Q) of the rules (Tau3) and (Tau4). Nevertheless, in this section we show 
that it is always possible to translate a process with static topology into a process with 
dynamic topology which has the same semantics (the two LTSs are isomorphic). More 
precisely, we will define an encoding [[-Jl : 8g ^ 8^ such that the following holds: 

P p' if and only if {Pjl iP'fs 

We start by presenting some auxiliary definitions. 

Definition 2.21. Let P be an 8^ process. We define the set 

Subst(P) = {St{a[P']) I a[P'] is a subterm of P} 



Hence, Subst(-P) is a set of trees: it contains the containment structure denotations of 
the adaptable processes occurring in P. Notice that by construction Subst(P) is a set of 
single-child containment structure denotations. 

Example 2.22. Let P be as in Example |2.11[ Then, we have 

Subst(P) = {St(a[P3 II c[5]]),St(6[P2]),St(c[5])}uSubst(5) 
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Convention 2.23. Below P and a stand for an process and a name, respectively. 

• Let S be a set of containment structure denotations. We write 5 | a to represent the 
subset of single-child containment structure denotations of S in which the label of the 
only child of the root is a. 

• We assume an injective function if that associates containment structure denotations to 
names in M. We use k,,k',. . . to range over the codomain of (p. Moreover, for every 
P such that |-P|ap = 0, we fix ip{St{a[P])) = Ka- The definition of f extends to sets 
of containment structure denotations as expected; this way, e.g., ip{S | a) stands for 
the set of names associated to those single-child containment structure denotations in S 
with label a. With a slight abuse of notation, we sometimes write (/3(a[P]) instead of 
v{St{a[P])). 

We are now ready to present the definition of [[•J5. 



Definition 2.24. Adopting the notations in Convention 2.23 let P and U be an £g process 
and an £g update pattern, respectively. Also, let 5" be a set of containment structure 
denotations such that Subst(-P) CI S. Moreover, assume err ^ ^{S). The encoding of P into 
an £^ process over Af, denoted iPjg, is inductively defined in Figure [sj where 

• CI stands for \U\^ = 0; 

. C2 stands for (|^|. = 1 A > A \U\^^ = 0) V (|C/|. > 1 A \U\^^ = 0); 

• C3 stands for \U\, = 1 A |C/|ph = A \U\^p = 0; 

• C4 stands for |C/|, / A \U\^p / 0. 

We now comment on the definition in Figure [Sj Unsurprisingly, the encoding only con- 
cerns adaptable processes and update prefixes; input and output prefixes are not modified 
(cf. line (6)), and guarded sum, parallel composition, and holes are treated homomorphi- 
cally (cf. lines (7), (8), and (9), respectively). Intuitively, the encoding captures correct 
update actions by renaming every adaptable process and update prefix according to their 
containment denotation structure. This way, an adaptable process a[P] is translated into 
an adaptable process on name k, which depends on its containment structure denotation 
(cf. line (1)). The intention of this renaming is to allow synchronization only with update 
prefixes on name k, that is, with update prefixes having the same containment structure 
denotation; this way, condition St{U) = St{Q) in the LTS of is enforced via name equal- 
ity. As for the encoding of a process P at a, it is important to observe that the definition 
of £g ensures that holes syntactically occurring in P do not occur at top level — they can 
only appear inside an update prefix. As such, they are handled by lines (2)-(7) in recursive 
applications of the encoding. 

Clearly, update prefixes must be modified accordingly; there are four different possibil- 



ities, represented by conditions C1-C4 of Definition 2.24 

• CI captures the cases in which the update pattern U does not contain holes, i.e., [/ is a 
process. Update prefixes with update patterns of this kind are encoded homomorphically, 
renaming the prefix accordingly (cf. line (2)). Together with the above explained renam- 
ing of adaptable processes with respect to the structure of their contents, this condition 
corresponds to Lemma 2.18| ^0). 



C2 captures the cases in which the update prefix is only meant to interact with adaptable 
processes whose content have no adaptable processes. As explained before, and by the 
definition of ip, these are adaptable processes of the form Ka[P] (with |-P|ap = 0); this 



explains the encoding described in line (3). According to Lemma 2.18, this is the case 
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(1) HP]}! 


= K[lPj^] with K = (^(a[P]) 




(2) l(a{a[U] II A}.Uijl 


= e^{^[ic^i5] II ml}. ml 






with K = ip{a[U]) 


if Cl 


(3) Ua{a[U] II A}.Uirs 


= ^l?aMiml] II 


if C72 


(3a) la{a[U] \\ A}.Uiji 


= V kJkJic/i^I II M^jJc/J^ 


if C3 


(36) [!2{a[C/] || A}.Uifs 


= n ''^^'^^[if^is] iiMs}-if/ii5 


if C3 


(5) K5{a[C/] II A}.Uirs 


= eeTr{0}.[C/il| 


if C4 


(6) Kvr.f/li 


= ^vr. [C/JI if TT = a or TT = a 




(7) Evr,.C/,l| 












(8) [C/i II C/2l^ 


= mil II iu2ji 




(9) Ml 


= • 





Above, ^TT. P denotes a possibly replicated prefixed process: ^tt. P is either In. P or tt. P, with ^ 
being the same on both sides of the definition. 



Figure 3: The encoding |[-]|| : 6^ ^ £^ given in Definition 



2.24 



when (i) the update pattern U of the update prefix has exactly one hole that occurs 
behind a prefix (cf. Lemma 



Lemma [2l8l ;2)). 



2.18 



when \U\p^ > 0) or (ii) U has more than one hole (cf. 



C3 captures the cases in which the update pattern U has exactly one hole which does not 
occur behind a prefix. These are update prefixes that may synchronize with any adaptable 
process at name a. In order to account for all the possibilities, each non replicated update 
prefix at o is encoded as a sum of prefixed processes, each summand corresponding to 
an update prefix on a name Kj S (p{S a). The only difference between the summands 
is the name of the update prefix; the update pattern within the update prefix and its 
continuation is the same for all of them (cf. line (3a)). When the update prefix is 
replicated, rather than the sum of all possible adaptable processes, we consider their 
product (cf. line (36)). This condition corresponds to Lemma 



2.18 



when|C/|ph = 0. 



C4 captures those update patterns that do not adhere to any of the conditions of Lemma 
2.18 Hence, interaction with these prefixes may lead to ill-formed £g processes. To 
prevent such undesirable interactions, these update prefixes are renamed into err — a dis- 
tinguished name signaling error (cf. line (5)). 

Before stating the correctness of the encoding, we illustrate it further through a series of 
examples. 



Example 2.25. Below, notice that by virtue of Definition 
(1) Given the process 



2.4 



I A 



«lap 



for every Ai. 



Pi = b[c[Ai II A2]] II b[d[e.A3]] II b{c[Ai]}.Q2 
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we have the £^ process 

[Pili = Ki[H^i II A2]li] II ^2[He.A3]li] ||^{IcMi}.M^ 

with Ki = ip{h[c[Ai II j42]]), K2 = ^s]])- Notice how the renaming to K2 rules 

out the possibihty of an update action for the second adaptable processes on h. 

(2) Given the £g process 

P2 =c[Ai] II c[A2] II d[^3] II d[e[A^\] \\ 

c{c[* II •] II A^].Qi II d{d[A(i II a.*]].Q2 

we have the £^ process 

ms=^c[lA,rs\ II >^c[lA2ts\ II ^4l^3l|] II ^i[Ie[^4]l|] II 

'?c{'^c[- II •] II lA,Ys]-lQiYs II '^Sl'^dMi II a..]}- Mi 

with Ki = (/9(d[e[^4]]). Notice how the renaming to ki rules out the possibility of an 
update action for the second adaptable processes on d. 

(3) Given the £g process P3 defined as: 

e[/[^i]] II e[g[h[A2] \\ A3]] || (e{e[.] || ^4}.^! + e{e[f[* \\ •]] || Aj-Qa) 
we have (assuming S to be minimal) the £^ process 
ra| = ^i[I/Mi] II ^2[Uh[A2] II Aalll] II 

(/?r{«iW II IA4l|}.IQil5 + ^{^2W II IA4l|}.IQil5 + eTr{0}.[Q2l|) 
with Ki = i^{e[f[Ai]]) and K2 = 'f{e[g[h[A2] \\ A3]]). 

Observe how the first summand in P3 has been duplicated in [[-PsJ^, so as to account 
for the two possible update actions on e. 

We are in place to state the promised correspondence between £g and £^ processes: 

Theorem 2.26. Let P be an £g process. Also, let S he a set of containment structure 
denotations, such that Subst(P) C S. Then we have: 

P P' if and only if {Pfs -^d \PTs 

Proof (Sketch). The proof is in two parts, one for the "if" direction and another other 
for the "only if" direction. In both cases, we proceed by induction on the height of the 
derivation tree for P — )-s P' (resp. \P\'g — >d [[-PI5)) with a case analysis on the last 
applied rule. For the former, we rely on the characterization of reduction for £g processes 
given by Lemma 2.18 so as to show that a reduction in the static side is preserved in the 
dynamic side. As for the latter, the proof is similar, and exploits the fact that the encoding 
transforms update prefixes that may lead to incorrect update actions into "error" update 
prefixes which are unable to participate in reductions. This ensures that for every dynamic 
reduction there is also a static reduction. See Appendix A. 2 in Page 53 for details. D 
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3. Correctness Properties: Bounded and Eventual Adaptation 

Here we define the correctness problems that we consider throughout the paper. We would 
like adaptation properties defined in the most general way possible; this would allows us to 
analyze models of evolvable systems in different settings. For this purpose, our correctness 
properties are stated in terms of observability predicates, or barbs. The definition of barbs 
is parameterized on the number of repetitions of a given signal. We thus obtain a uniform 
definition for bounded and repeated weak barbs. 

Definition 3.1 (Barbs). Let P be an f process, and let a be an action in {a,a | a G M}. 

We write P J,^ if there exists a P' such that P P' . Moreover: 

• Given A; > 0, we write Pii-^ iff there exist Qi, . . . ,Qk such that P — >* Qi — > . . . — > Qk 
with Qi Iq,, for every i G {1, . . . , k}. 

• We write P JJ-^ iff there exists an infinite computation P — >* Q\ — > Q2 — > . . . with 
Qi ict for every i G N+. 

Furthermore, we use and ^ to denote the negation of andJI^. 

We shall consider two instances of the problem of reaching an error configuration in an 
aggregation of terms, or cluster. A cluster is a process obtained as the parallel composition of 
an initial process P with an arbitrary set of processes M representing its possible subsequent 
modifications. That is, processes in M may contain update actions on the names of the 
adaptable processes in P, and therefore may potentially lead to its modification (evolution). 

Definition 3.2 (Cluster). Let P, Pi, . . . , P„ be E processes and M = {Pi, . . . , P„}. The 

set of clusters CSp is defined as: 

mi rrin 

= (p II n A II • • • II I "^1' ■ • • e N u {0}} 

The adaptation problems below formalize correctness of clusters with respect to their 
ability for recovering from errors by means of update actions. More precisely, given a set of 
clusters CS^ and a barb e (signaling an error), we would like to know if all computations 

of processes in CSp 

(1) have at most k consecutive states exhibiting e, or 

(2) have a finite number of consecutive states exhibiting e. 
We thus have the following definition: 

Definition 3.3 (Adaptation Problems). Suppose an initial process P, a set of processes 

M, and a barb e. 

• Given k > 0, the bounded adaptation problem (BA) consists in checking whether for all 
processes R G CS^ , Pij^ holds. 

• Similarly, the eventual adaptation problem (EA) consists in checking whether for all pro- 
cesses R G CSf, Ri^^ holds. 

Similarly as processes, static clusters can be encoded into equivalent dynamic ones. 

Definition 3.4. Let P, Pi, . . . , Pn he £g processes such that M = {Pi, . . . , P„}. The static 
cluster set CSp is transformed into a dynamic cluster set ICSj^^s = CS^' by taking 
P' = iPjl and M' = {[Pill, . . . , lP4i}, where S = Subst(P) U Ui<i<„ Subst(Pi). 
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Theorem 3.5. Let P, Pi, . . . ,Pn be processes such that M = {Pi, ■ ■ ■ , Pn}- Then we 
have = ilCVs I C G C5|f}, where S = Subst(P) U Ui<i<„ Subst(Pi). 



[PJ^ is an homomorphism with 



□ 



Proof. Immediate by observing that by Definition 2.24 
respect to parallel composition, i.e., [-P || Ql^ = iPjs II IQls 

Notice that, for every cluster C in [C^p^Jg by construction we have Subst(C) C S. 
Hence, the operational correspondence given by Theorem 2.26 is individually applicable to 
each cluster. 



4. Adaptable Processes, By Examples 

Next we present some concrete scenarios of adaptable processes and discuss their represen- 
tation as £ processes. We also comment on how the adaptation properties proposed in the 
paper (and their associated decidability results) relate to such scenarios. 

4.1. Mode Transfer Operators. In dynamic behavior at the process level is defined 
by means of two so-called mode transfer operators. Given processes P and Q, the disrupt 
operator starts executing P but at any moment it may abandon P and execute Q instead. 
The interrupt operator is similar, but it returns to execute what is left of P once Q emits 
a termination signal. We can represent similar mechanisms in £ as follows: 

disrupt JP, Q) = a[P] \\ a{Q} interruptjP, Q) = a[P] \\ a{Q \\ tq. •} 

Assuming that P can evolve on its own to P', the semantics of £■ decrees that disrupt„(P, Q) 
may evolve either to a[P'] || a{Q} (as locality a is transparent) or to Q (which represents 
disruption at a). Similarly, by assuming that P was able to evolve into P" just before being 
interrupted, process interrupt(j(P, Q) evolves to Q \\ tq.P". Above, we assume that a is not 
used in P and Q, and that termination of Q is signaled at the designated name tq. 

These simple definitions show how defining P as an adaptable process at a is enough 
to formalize its potential disruption/interruption. It is worth observing that the encoding 
of interruptQ(P, (5) can only be an £^ process: in the update action at a, there is a hole 
occurring behind a prefix (hence, it is not a £^ process) and the topology of adaptable 
process is dynamic (since a does not occur in Q, the adaptable process cannot be rebuilt 
after interruption). In contrast, the encoding of disrupt(j(P, Q) is both an £^ and an £^ 
process, as in the update pattern there are no holes in the scope of prefixes (in fact, the 
update pattern does not have any holes). 

4.2. Dynamic Update in Workflow Applications. Designing business/enterprise ap- 
plications in terms of workflows is a common practice nowadays. A workfiow is a conceptual 
unit that describes how a number of activities coordinate to achieve a particular task. A 
workfiow can be seen as a container of activities; such activities are usually defined in terms 
of simpler ones, and may be software-based (such as, e.g., "retrieve credit information from 
the database") or may depend on human intervention (such as, e.g., "obtain the signed au- 
thorization from the credit supervisor"). As such, workflows are typically long- running and 
have a transactional character. A workfiow-based application usually consists of a workfiow 
runtime engine that contains a number of workfiows running concurrently on top of it; a 
workflow base library on which activities may rely on; and of a number of runtime services, 
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which are application dependent and implement things such as transaction handling and 
communication with other applications. A simple abstraction of a workflow application is 
the following E process: 



App = wta 



we 



[we II Wi II • • • II Wfc II wbl[BL]] II Si II • • • II Sj 



where the application is modeled as an adaptable process wfa which contains a workflow 
engine we and a number of runtime services Si, . . . , Sj. In turn, the workflow engine contains 
a number of workflows Wi, . . . , W^, a process WE (which represents the engine's behavior 
and is left unspecified), and an adaptable process wbl representing the base library (also 
left unspecified). As described before, each workflow is composed of a number of activities. 
We model each Wj as an adaptable process Wj containing a process WLj — representing the 
workflow's logic — , and n activities. Each of them is formalized as an adaptable process aj 
and an execution environment envj: 

n 

Wj = Wj WLj II (envj[Pj] || aj[\uj.em^j{envj[» \\ Aj]}]) 
L j=i 

The current state of the activity j is represented by process Pj running in envj. Locality 
aj contains an update action for envj, which is guarded by uj and always available. As 
defined above, such an update action allows to add process Aj to the current state of the 
execution environment of j. It can also be seen as a procedure that is yet not active, and 
that becomes active only upon reception of an output at uj from, e.g., WLj. Notice that by 
defining update actions on aj (inside WLj, for instance) we can describe the evolution of the 
execution environment. An example of this added flexibility is the process 

Ui = ! replacCj. a,{aj [!nj. envj{envj[» || a|]}]} 

Hence, given an output at replacSj, process aj[!nj. envj{envj[« || Aj]}] || Ui evolves to 
aj[!nj. eriVj{envj[» || A^]}] thus discarding Aj in a future evolution of envj. This kind of 
dynamic update is available in commercial workflow engines, such as the Windows Workflow 
Foundation (WWF) [44J. Above, for simplicity, we have abstracted from lock mechanisms 
that keep consistency between concurrent updates on envj and aj. 

In the above processes, it is worth observing that if processes Aj and a| contain no 
adaptable processes, then Wj is an £f process. This is because the update action at envj 
recreates the adaptable process, and preserves the previous state with a hole that is in 
parallel to Aj. Otherwise, Wj would be an £^ process, as the topology of adaptable processes 
would change as a result of an update action on envj. For the sake of the example, suppose 
an emergency activity that executes inside the workflow: process Pj would emit a signal 
representing an urgent request, and an update action at envj would represent a response 
to the emergency, implemented as process Aj. The two adaptation problems are useful to 
represent the future state of the workflow in which the emergency has been controlled: EA 
refers to an undetermined future state in which the request signal disappears (meaning that 
the emergency will be eventually controlled); whereas BA refers to a fixed future state in 
which the request signal disappears (meaning that the emergency will be controlled within 
a certain bound) . The topology of Aj is relevant in the light of our decidability results for 
these two properties: if W, is given as an process, then both EA and BA are decidable; 
otherwise, if Wj is given as an £^ process, then only BA would be decidable. 
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In the WWF, dynamic update can also take place at the level of the workflow engine. 
This way, e.g., the engine may suspend those workflows which have been inactive for a 
certain amount of time. This optimizes resources at runtime, and favors active workflows. 
We can implement this policy as part of the process WE as follows: 

U2 = ! suspendj. Wj{! resumej. Wj[»]} 

This way, given an output signal at suspend j, process Wj[Wj] || U3 evolves to the persistent 
process ! resumej. Wj[Wj] which can be reactivated at a later time. Observe that, in case one 
considers policies such as U2 then we would end up with an £^ process, as the hole and an 
adaptable process occur guarded behind a prefix. 

4.3. Scaling in Cloud Computing Applications. In the emerging cloud computing 
paradigm, applications are deployed in the infrastructure offered by external providers. 
Developers act as clients: they only pay for the resources they consume (usually measured 
as the processor time in remote instances) and for associated services (e.g., performance 
metrics or automated load balancing). Central to the paradigm is the goal of optimizing 
resources for both clients and provider. An essential feature towards that goal is scaling: the 
capability that cloud applications have for expanding themselves in times of high demand, 
and for reducing themselves when the demand is low. Scaling can be appreciated in, e.g., the 
number of running instances supporting the application, and may have important financial 
effects. Consequently, cloud providers such as Amazon's Elastic Cloud Computing (EC2) 
[S] offer libraries and APIs and services for autoscaling; also common are external tools 
which build on available APIs to implement sophisticated scaling policies. 

Here we represent a cloud computing application as adaptable processes. Our focus 
is in the formalization of scaling policies, drawing inspiration from the autoscaling library 
provided by EC2. For scaling purposes, applications in EC2 are divided into groups, each 
defining different scaling policies for different parts of the application. This way, e.g., the 
part of the application deployed in Europe can have different scaling policies from the 
part deployed in the US. Each group is then composed of a number of identical instances 
implementing the web application, and of active processes implementing the scaling policies. 

This scenario can be abstracted in £ as the process App ^= Gi \\ ■ ■ ■ \\ Gn, with 

Gi = II • • • II / II Sdw II Sup II CTRLj] 

where each group Gi contains a fixed number of running instances, each represented by / = 
mid[A], a process that abstracts an instance as an adaptable process with an identification 
mid and state A. Also, S^w and Sup stand for the processes implementing scaling down 
and scaling up policies, respectively. Process CTRLj abstracts the part of the system which 
controls scaling policies for group i. In practice, this control relies on external services (such 
as, e.g., services that monitor cloud usage and produce appropriate alerts). A simple way 
of abstracting scaling policies is the following: 

3 k 

= s4!alert^ JJinid{0}] 5„p = s„ [! alert". JJmid{mid[«] ||mid[.]}] 

Given proper alerts from CTRLj, the above processes modify the number of running instances. 
In fact, given an output at alert"^ process Sdw destroys j instances. This is achieved by leaving 
the inactive process as the new state of locality mid. Similarly, an output at alert" process 
Sup spawns k update actions, each creating a new instance. 
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Observe that both Sdw and Sup are £^ processes: since we represent instances as adapt- 
able processes with state, every modification enforced by the scahng pohcies will result in a 
different topology of adaptable processes. A correctness guarantee in this setting is that the 
cloud infrastructure satisfies the scaling requirements of client applications within a fixed 
bound. More precisely, we would like to ensure that every scaling alert managed by CTRLj 
(requesting more instances, for instance) will disappear within a certain bound, meaning 
that the scaling request is promptly addressed by the cloud provider. This kind of reliability 
guarantees can be represented in terms of BA, an adaptation problem which is decidable 
for £^ processes. Of course, the decidability of correctness guarantees depends much on 
their actual representations. Above, we have opted for simple, illustrative representations; 
clearly, different process abstractions may exploit other decidability results. 

Autoscaling in EC2 also allows to suspend and resume the scaling policies themselves. 
To formalize this capability, we proceed similarly as we did for process U2 above. This 
way, for the scale down policy, one can assume that CTRLj includes a process Udw = 
! suspdown- resumedw -Sdl*]} which, provided an output signal on suspdowm captures the 
current policy, and evolves into a process that allows to resume it later on. Using the same 
principle, other modifications to the policies are possible. For instance, a natural request is 
to modify the scaling policies by changing the number of instances involved (i.e., j in Sdw 
and k in Sup)- As before, if our specification includes the ability of suspending/resuming 
scaling policies as implemented by Udw, then we would obtain an £^ process. 

5. Preliminaries 

We now introduce some background notions on Minsky machines, well-structured transition 
systems (WSTS), and Petri nets. 

5.1. Minsky machines. Our undecidability results will be obtained by encodings of Min- 
sky machines A Minsky machine (MM) is a Turing complete model composed of a 
set of sequential, labeled instructions, and two registers. Registers rj {j £ {0, 1}) can hold 
arbitrarily large natural numbers. Instructions (1 : Ii), . . . , (n : /„) can be of three kinds: 
INC(rj) adds 1 to register rj and proceeds to the next instruction; DECJ(rj,s) jumps to 
instruction s if rj is zero, otherwise it decreases register rj by 1 and proceeds to the next 
instruction; a HALT instruction stops the machine. A MM includes a program counter p 
indicating the label of the instruction being executed. 

In its initial state, the machine has both registers set to and the program counter 
p set to the first instruction. We assume that instructions are proper, in the sense that 
there is no program counter that refers to a non-existing instruction. The MM terminates 
whenever the program counter is set to a HALT instruction. A configuration of a MM is a 
tuple {i,mo,mi); it consists of the current program counter and the values of the registers. 
Formally, the reduction relation over configurations of a MM, denoted — >-m, is defined in 
Figure [4} 

Since MMs are Turing complete, termination is undecidable. 

Theorem 5.1 (Minsky |47j ) . Minsky machines are Turing complete. Hence, for a MM it 
is undecidable whether it terminates. D 
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(M-INC) (M-Jmp) 

i : INC(rj) m'j = rrij + 1 m!i_,j = rrii^j i : DECJ(rj, s) rrij = 

{i, mo, mi) — >M (i + 1, m'o, "t-'i) (i, ?wo, "i-i) — (s, mo, mi) 

(M-Dec) 

i : DECJ(rj, s) mj ^ ^'j ~ ~ ^ "^'i-j ~ "^i-i 
{i, mo, mi) — >M (i + 1, m'^, m[) 

Figure 4: Semantics of MMs 

We shall exploit encodings into MMs to prove undecidability of EA and BA. In our 
encodings, we sometimes make the unrestrictive assumption that at the beginning and at 
the end of the computation the registers (must) contain the value zero. 

5.2. Well-Structured Transition Systems. The decidability of BA for i5j processes will 
be shown by appealing to the theory of well-structured transition systems \30\ [2]. The 
following results and definitions are from [30j, unless differently specified. 

Recall that a quasi- order (or, equivalently, preorder) is a reflexive and transitive rela- 
tion. 

Definition 5.2 ( Well-quasi-order) . A well- quasi- order (wqo) is a quasi-order < over a set 
X such that, for any infinite sequence xq, xi,X2 - ■ ■ ^ X, there exist indexes i < j such that 

Note that if < is a wqo then any infinite sequence xo,xi,X2, ■ ■ ■ contains an infinite 
increasing subsequence , , , ■ . . (with < ii < «2 < • • •)■ Thus well-quasi-orders 
exclude the possibility of having infinite strictly decreasing sequences. 

We also need a definition for (finitely branching) transition systems. Here and in the 
following —7-* denotes the reflexive and transitive closure of the relation — 

Definition 5.3 (Transition system). A transition system is a structure TS = (5, — >■), 
where S" is a set of states and — )-C x 5 is a set of transitions. We define Succ{s) as the 
set {s' G S I s — )• s'} of immediate successors of s. TS is finitely branching if, for each 
s £ S, Succ{s) is finite. We also define Pred{s) as the set {s' E S | s' — )• s} of immediate 
predecessors of s, while Pred*{s) and Pred'^{s) denote the sets {s € 5" | s' — )•* s} and 
{s G 5 I s' — s}, respectively, of predecessors of s. 

Convention 5.4. In the rest of the paper, and with a slight abuse of notation, we will 
assume the expected point-wise extensions of definitions to sets. For instance, function 
Succ just defined on states is extended to sets of states as: Succ{S) = Use5 Succ{s). 

The key tool to the decidability of several properties of computations is the notion of 
well- structured transition system \30\ |2] . This is a transition system equipped with a well- 
quasi-order on states which is (upward) compatible with the transition relation. Here we 
will use a strong version of compatibility; hence the following definition. 

Definition 5.5 (Well-structured transition system). A well- structured transition system 
with strong compatibility is a transition system TS = {S, — )■), equipped with a quasi-order 
< on S, such that the two following conditions hold: 
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(1) < is a well-quasi-order; 

(2) < is strongly (upward) compatible with — )•, that is, for all si < ti and all transitions 
si — )• S2 , there exists a state ^2 such that ti — )• t2 and S2 < ^2 holds. 

Given a quasi-order < over X, an upward-closed set is a subset / C X such that the following 
holds: Vx,y £X: {x£lAx<y)^y£l. Given x G X, we define its upward closure 
as '[ X = {y £ X I X < y}. This notion can be extended to sets as expected: given a set 
y C X we define its upward closure as t ^ = U^ey t U- 

Definition 5.6 (Finite basis). A finite basis of an upward-closed set / is a finite set B such 
that / = UxeB t X. 

The notion of basis is particularly important when considering the basis of the pre- 
decessor of a state in a transition system. More precisely, we are interested in effective 
pred-basis as defined below. 

Definition 5.7 (Effective pred-basis). A well-structured transition system has effective 
pred-basis if there exists an algorithm such that, for any state s G S, it returns the set pb{s) 
which is a finite basis of t Pred{'[ s). 

The following proposition is a special case of Proposition 3.5 in [30] . 

Proposition 5.8. Let TS = {S, — t-, <) be a finitely branching, well-structured transition 
system with strong compatibility, decidable < and effective pred-basis. It is possible to com- 
pute a finite basis of Pred* (I) for any upward-closed set I given via a finite basis. D 

Finally we will use the following proposition, whose proof is immediate. 

Proposition 5.9. Let S be a finite set. Then the equality is a wqo over S. D 

We shall also appeal to the following result. In [39], Kruskal proved that a wqo on a 
set S can be extended to the set of finite trees whose nodes have labels ranging in S; we 
refer to this as the set of trees over S. We define how to extend a quasi order on a set S to 
the trees over S. If t is a tree and n a node in t, we denote with label{n) the label of the 
node n. 

Definition 5.10. Let S and < be a set and a wqo over S, respectively. The relation <*'' on 
the set of trees over S is defined as follows. Let t, u be trees over S. We have that t <*'' u 
iff there exists an injection / from the nodes of t to the ones of u such that: 

(1) Let m, n be nodes in t. If m is an ancestor of n then f{m) is an ancestor of f{n). 

(2) Let m, n,p be nodes in t. If p is the minimal common ancestor of m and n then f{p) is 
the minimal common ancestor of f{rn) and f{n). 

(3) Let n be a node in t. Then label{n) < label{f{n)). 

The relation is a quasi-order over the trees over S. It is also a wqo, since we have 
the following result. 

Theorem 5.11 (Kruskal [39]). Let S be a set and < a wqo over S. Then, the relation <*'^ 
is a wqo on the set of trees over S. □ 
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5.3. Petri Nets. We will use Petri nets to prove the decidability of BA for More 
precisely, we will reduce BA for to a problem on Petri nets, that we call infinite visit, 
which can be easily reduced to place boundedness. 

A Petri net is a tuple N = (5, T, mo), where S and T are finite sets of places and 
transitions, respectively. A finite multiset over the set S of places is called a marking, and 
mo is the initial marking. Given a marking m and a place p, we say that the place p 
contains m{p) tokens in the marking m if there are m{p) occurrences of p in the multiset 
m. A transition is a pair of markings written in the form m' =^ m". The marking m 
of a Petri net can be modified by means of transition firing: a transition m' =^ m" can 
fire if m{p) > m'{p) for every place p £ S; upon transition firing the new marking of the 
net becomes n = (m \ m') tt) m" where \ and tt) are the difference and union operators 
for multisets, respectively. This is written as m — )• n. We call computation a sequence 
mo — )• mi —)•••• m„. A marking m is reachable if there exists a computation with 
final marking m. A place p £ S is bounded if there exists a natural number k such that 
m{p) < k for every reachable marking m. The place boundedness problem is decidable for 
Petri nets j35j . 

Definition 5.12 (Infinite visit). Given a Petri net = (5, T, mo), a set of places to visit 
V Q S, and a mandatory place p G S, we say that N infinitely visits V with mandatory 
place p, if there exists an infinite sequence mo — >• mi — )• m2 — t- • • • and an index i such that 
for every j > i there exists a place G 1^ such that mj{pj) > 1, and moreover mj{p) > 1. 

Theorem 5.13. Given a Petri net N = {S, T, mo), a set of places V S, and a mandatory 
place p £ S, it is decidable whether N infinitely visits V with mandatory place p. 

Proof. By reduction to the place boundedness problem. Given a Petri net N = {S, T, mo) 
and a set of places V S, we construct a Petri net N' = {S U {phi, ph2, check}, T' ,mo U 
{phi}) such that N infinitely visits V with mandatory place p if and only if check is not 
bounded in A^'. 

The Petri net N' reproduces the computations in N by (possibly) dividing them into 
two phases: the first phase is witnessed by the presence of one token in the additional place 
phi, while the second phase by one token in the additional place ph2. During the second 
phase, a transition can be mimicked only if there is at least one token in one of the places 
in V and one token in the place p. Moreover, during the second phase, each transition puts 
one token in the additional place check. 

Formally, we define the set T' of the transitions of N' as follows: 

• for each transition m' =^ m" in T, T' contains the transition m' tt) {phi} =^ m" tt) {phi}; 

• T' contains the transition {phi} =^ {ph2}; 

• for each transition m' =^ m" in T and for each place q G V, T' contains the transition 
m' tt) {p, q,ph2} =^ m" tt) {p, q,ph2, check}. 

The first group of transitions governs the first phase of the simulation; the second transition 
implies the passage from the first to the second phase; while the third group of transitions 
is for the second phase. 

First, assume that N infinitely visits V with mandatory place p. This means that in 
N there exists an infinite sequence mo — s- mi — t- m2 — t- • • • and an index i such that for 
every j > i there exists a place pj G V such that mj{pj) > 1 and mj{p) > 1. This implies 
that in N' there is a corresponding computation that mimics the transition mo — mi — )■ 
m2 — )• mj_i during the first phase, and the transitions mj — )• m^+i —)•••• during the second 
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Register rj {rj = n]i = rj[(\ n 

^^^^^ ^^l)^ = { ^Jn-l|), tnZl. 
Instructions (z : /«) 

l{i : INC(rj))]i = Ip^. f5{rj[?I7. -Jj.p^ 

|(i : DECJ(rj,s))]i = \pi. {uj.p^^ + Zj.rj{rj[zj]}.p;) 

|(i:HALT)]i =\pi.{e+jH) 

Table 2: Encoding of MMs into 



one. The second phase is infinite, hence check is not bounded because each transition in 
the second phase puts one token in such a place. 

Assume now that check is unbounded in A^'. As tokens are introduced in check only 
during the second phase, this means that there exists no bound to the length of the com- 
putations in N' that include the second phase. This implies the existence of at least one 
infinite computation in N' having both the first and the second phase. Consider now the 
computation in N composed of the transitions simulated in such an infinite computation 
of N' . This computation in N has a suffix (the part corresponding to the second phase) in 
which all the traversed markings have at least one token in one of the places in V as well 
as one token in p. □ 



6. Undecidability Results for <f ^ 

We prove that BA and EA are undecidable in both £^ and £g. The result relies on an 
encoding of MMs into which satisfies the following: a MM terminates if and only if 
its encoding into £g evolves into a state that starts an infinite computation that traverses 
states exhibiting a distinguished barb e. 

The encoding, denoted is given in Table [2| A register j with value m is represented 
by an adaptable process at rj that contains the encoding of number m, denoted d m 
In turn, (| m \)j consists of a sequence of m output prefixes on name uj, ending with an 
output action on zj, which represents zero. Instructions are encoded as replicated processes 
guarded by pi, which represents the MM when the program counter p = i. Once pi is 
consumed, each instruction is ready to interact with the registers. To encode the increment 
of register rj, we enlarge the sequence of output prefixes it contains. The adaptable process 
at rj is updated with the encoding of the incremented value (which results from putting the 
value of the register behind some prefixes) and then the next instruction is invoked. The 
encoding of a decrement of register j consists of an exclusive choice: the left side implements 
the decrement of the value of a register, while the right one implements the jump to some 
given instruction. This choice is indeed exclusive: the encoding of numbers as a chain of 
output prefixes ensures that both an input prefix on Uj and one on Zj are never available at 
the same time. When the MM reaches the HALT instruction the encoding can either exhibit 
a barb on e, or set the program counter again to the HALT instruction so as to pass through 
a state that exhibits e at least k > Q times. The encoding of a MM into £l is defined as 
follows: 
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Definition 6.1. Let be a MM, witli registers tq = 0, ri = and instructions (1 : 
Ii) . . . {n : In)- Given the encodings in Table [2| the encoding of in (written [A^Ji) is 
defined as [ro = Oli || {n = Oji || nr=il(^ ■ I^)h II PI ■ 

Given this encoding, we have that a MM terminates iff its encoding has at least k 
consecutive barbs on the distinguished action e, for every k > 1. 

Lemma 6.2. Let N be a MM and k>l-N terminates iff lAfJiJJ-^. 



Proof. See Appendix |B.l Page 56 □ 



Theorem 6.3. BA and EA are undecidable in . 

Proof (Sketch). The proof proceeds by considering a MM A^ and its encoding [A'']!. Tak- 
ing the cluster C5|jyj^ = {|A^]i}, undecidability of BA follows from undecidability of the 
termination problem in MMs and Lemma |6.2[ 

Moreover, the number of consecutive barbs on e can be unbounded: once the machine 
reaches the HALT instruction then a barb e will be continuously available by always choosing 
to synchronize on pi. Hence, there exists a computation where |A^]i -IJ-g and we can conclude 
that EA is undecidable. D 

Notice that [A^]i is an £^ process without nested adaptable processes. Hence, even if 
we consider |A^]i as an £^ process, update prefixes cannot modify the topology of nested 
adaptable processes (that is, in the semantics of Figure [2] condition cond(C/, Q) always holds 
true) and the generated transition system is the same. Formally, this can be verified by 
using Lemma 2.18 As a consequence, the above undecidability result holds for £^ processes 



as well: 

Corollary 6.4. BA and EA are undecidable in D 

7. (Un) DECIDABILITY RESULTS FOR 

7.1. Decidability of Bounded Adaptation. Here we prove that despite the previous 
undecidability result, BA is decidable for £^ processes. That is, given a process P, a set of 
processes M, and a barb a, there exists an algorithm to determine whether there exists a 
process R G CS^ such that -RJJ-q holds. The proof appeals to the theory of well-structured 



transition systems (see Section 5.2). The algorithm consists of five steps: 

(1) We restrict the set of terms under consideration to those reachable by any R e CSp. 
We characterize this set by 

(a) considering the set of sequential subterms in CSp , i.e., the subterms of P and the 
processes in M that do not have parallel composition or adaptable processes as their 
topmost operator — see Definition |7.2| — and 

(b) introducing the ordering ^ over a tree-like representation of the processes in such 
a set — see Definition 17.71 



(2) Next, we prove that ^ is a well-quasi-ordering (cf. Theorem 7.10) which is strongly 



compatible with respect to — > (cf. Theorem 7.14). 



(3) These results enable us to compute a finite basis for the set of processes exhibiting a; 



this set is upward-closed with respect to ^ (cf. Theorem 7.20). 
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(4) We then show that it is possible to compute the finite basis of the set of processes that 
expose a at least k consecutive times (Lemma |7.23 ). 



M 



(5) Finally, we show that it is possible to determine whether or not some process R E CSp 



is included in the set generated by the finite basis (Theorem 7.24). 
In what follows, we describe the definitions and results associated to these steps. For the 
sake of clarity, each of these descriptions is presented separately, in Sections 



7.1.1-7.1.5 



Observe that the above strategy requires Kruskal's theorem (Theorem 5.11) on well- 
quasi-orderings on trees. Unlike similar previous results exploiting the theory of well- 
structured transition systems for obtaining decidability results (e.g., [IS]), in the case of 
E\ it is not possible to find a bound on the "depth" of processes. We illustrate this is- 
sue with a small example. Consider the process R = a[P] \\ !a{a[a[»]]}. 0. One possible 
evolution of R is the following: 

R a[a[P]] II !a{a[a[«]]}. a[a[a[P]]] \\ !5{a[a[«]]}. ^ . . . 

and thus one obtains a process with an unbounded number of nested adaptable processes. 
Nevertheless, not everything is lost and some regularity can be found also in our case. By 
mapping processes into particular forms of trees and then exploiting an ordering over those 
trees, it can be shown that this is indeed a well-quasi-ordering with strong compatibility, 
and that it has an effective pred-basis. This way, decidability of BA can be shown by 
following the five steps described above. 

7.1.1. Step We start by introducing some auxiliary definitions. 

Definition 7.1 (Parallel Processes). Let P = YVlLiPi II 11^=1 ^ process in 

normal form. The set of top-level, parallel processes of P, is defined as 

Par(P) = {Pi\ie [1. . m]} U {aj[Pj] | j G [1. . n]} 

This definition extends to sets of processes in normal form in the expected way. 

Definition 7.2 (Sequential Subprocesses). Let P be an £^ process. The set of sequential 
subprocesses of P, denoted sub(P), is defined inductively as follows: 

sub(7r. P) = {vr. P} U sub(P) if vr = a or vr = a 

sub(5{[/}. Q) = {a{U}. Q} U sub(C/) U sub(Q) 
sub(E.e/ vr,. P,) = { ^.6/ vr,. P,} U Ue/ sub(^,. P,) 
sub(!7r.P) = {Ivr.P} Usub(P) 

sub(P II Q) = sub(P) Usub(Q) 

sub(a[P]) =sub(P) 
sub(.) =0 

Observe that sub(O) = sub(^,;g0 vTj. Pj) = {0}. The definition extends to sets of processes 
as expected. 

Notice that, since we are considering processes P £ £^ (which make use of update 
patterns that cannot include • in the scope of prefixes), sub(P) is a set of processes that 
are not update patterns, that is they cannot have free occurrences of •. 
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c.R d[ ] g.T 
(a) A tree denotation 




e.K ^c.Q 

(b) Tree embedding 



{a} U apn([/) 
apn(P) if vr = a or vr 
apn([/) U apn((5) 
Uig/apn(7ri. 
apn(7r. [/) 
apn([/i) U apn(C/2) 



Figure 5: Tree denotations for £^ processes. 

Definition 7.3. Let P be an £^ process. The set of adaptable processes names occurring 
in P, denoted apn(P), is inductively defined (by resorting, in general, to apn([/) over £^ 
update patterns U) as follows: 

apn(a[C/]) 
apn(7r. P) 
apn(S{C/}.Q) 

apn(!7r. U) 
apn([/i II U2) 
apn(.) =0 

The definition extends to sets of processes as expected. 

Definition 7.4. Given a set of iSj processes S, we define: 

\ab{S) = sub(5) U{a[]\ae apn(5)} 

We are now ready to define the tree denotation of a process. 

Definition 7.5 (Tree of a process). Let P = YYlLi Pi \\ YYj=i^j[Pj] Process in 

normal form. The tree denotation of P, denoted Tr(P), is a tree over lab({P})U{e} and it is 
built as follows. The root is labeled £, and has m+n children: the former m are leaves labeled 
Pi, ... , Pm, while the latter n are subtrees recursively built from processes P[, . . . , P^, where 
the only difference is that their roots are labeled ai[ ],..., a„[ ], respectively. 
Given a set of processes S, Ts denotes the set of trees over lab(5) U {e}. 



Example 7.6. Let P be the process a. Pi 
7.5, Tr(P) is depicted in Figure [5(a)[ 



tion 



b{Q} II b[c.R II d[ ]] II f[g.T]. Given Defini- 



We now define the ordering ^ on processes. It corresponds to the extension of =, as 
described in Definition 5.10, to trees. Notice that when = is extended to trees it is no longer 



a symmetric relation. More precisely: 

Definition 7.7 (Ordering ^). Let P and Q be £^ processes. Also, let =*'' stand for the 

Then we decree: P ^ Q iff Tr(P) Tr(Q). 



extension of = as in Definition 



5.10 



In other words, given two processes P and Q such that Tr(P) =*'' Tr{Q), one simply 
checks if all the labels of Tr(P) occur in Tr(Q) and respect the ancestor relation. 
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Example 7.8. Let S and T be the processes defined as 

S = a.P\\ b[c. Q] 

T = a.P\\ d[b[f[e.R\\ c.Q]]] 
Then we have S ^T; tree denotations for both processes (and the injection between them) 



are depicted in Figure 5(b) 



We write P — >y Q if there is some P' such that P — > P' and P' ^ Q- We now define 
the set of all derivatives of a given £^ process and show that ^ is a wqo over it. 

Definition 7.9. Given an £^ process P, we define Deriv(P) = {Q \ P — >* Q}. This 
definition is extended to sets of processes in the expected way. 



7.1.2. S'te^l^ We start by showing that given a set of processes S, is a wqo over Ts- 

Theorem 7.10. Let S be a set of £^ processes. Then, relation =*'' is a wqo over Ts- 

Proof. The set lab(S') is finite by construction. Hence, by Proposition |5.9[ equality is a wqo 
over lab(5') U {e}. Finally, since = is a wqo, using Kruskal's Theorem (Theorem 5.11) we 
infer that =*'' is a wqo over Ts. D 

We now prove that the trees constructed from processes contained in the set of all 
derivatives form a subset of Ts- The following notion of monadic and biadic contexts will 
be useful in proofs. 

Definition 7.11 (Monadic and Biadic Contexts). A monadic context is a context with one 
hole (denoted "•") and is defined according to the following grammar: 

C[-] :■-= [■] I C[-] II P I a[C[-]] 

where P is an f process. Similarly, a biadic context is a context with two holes (denoted 
"•i" and "-2", respectively) defined according to the following grammar: 

D[-i,-2] ::=C[-i] II Ch] I a[D[-u-2]] \\ P \ a[D[-u-2]] 

where P is an £^ process and C is a monadic context. As customary, C[P] and D[R,Q] 
represent the processes obtained by replacing the holes in contexts C[-] and D[-i, -2] with 
processes P and R,Q, respectively. 

Lemma 7.12. Let P be an process. If P — > Q then Tr((5) G Tjp}. 

Proof. By induction on the height of the derivation tree for P — > Q, with a case analysis 
in the last rule used. There are seven cases to check. We recall that Tr(Q) £ 7{p} iff Tr{Q) 
is over lab(P) U {e}.+ 

Case (Actl): Then P = Pi || P2 and Q = P{ || P2, with Pi — > P[. By Definition 



7.5 



we 



have Tr(P) is over lab(Pi) U lab(P2) U {e}. By inductive hypothesis, we have that Tr(P{) 
is over lab(Pi) U {e}. Hence we can conclude that Tr{Q) is over lab(Pi) U lab(P2) U {e}, 
thus Tr(Q) £T{P}. 
Case (Act2): Analogous to the case for (ActI) and omitted. 



Case (Loc): hen P = a[Pi] and Q = a[P{], with Pi — > P[. By Definition 7.5 we have 
Tr(P) is over lab(Pi) U {a[ ]} U {e}. By inductive hypothesis, we have that Tr(P{) is 
over lab(Pi) U {e}. Hence we can conclude that Tr((5) is over lab(Pi) U {a[ ]} U {e}, thus 
Tr(Q) G T{py 
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Cases (Taul)-(Tau2): Then P = Ci[A] \\ C2[B], where Ci and C2 are monadic contexts 



as in Definition 7.11 Moreover, A is either Ib.Q or ^i^j T^i- Qi with tti = b, for some 
/ G /, and B is either !6. R or X^jg/ iTi. Ri with vr; = 6, for some / G /. 

We consider only the case in which A = X^jg/VTj. Qi with vr; = 6 and i? = !6. i?; the 
other cases are similar. Then Q = Ci[Qi] \\ C2[R \\ !6. i?]. We know that Tr(P) is over 
lab(Ci) U lab(^) U lab(C2) U \ah{B) U {e} and by noticing that \ah{Qi) C \ab{A) and 
Iab(i2 II !6. R) C lab(i?) we can conclude that Jr{Q) G T^p}- 
Cases (Tau3)-(Tau4): Then P = Ci[A] \\ C2[B] where: 

• Ci and C2 are monadic contexts, as in Definition 7.11 

• A = b[Pi], for some Pi; 

• B = TTi- Ri with m = b{b[U] \\ P2} for l£l,oi B = \b{U}. R, for some R. 

We consider the case in which B = \b{b[U] \\ P2}.R; the other case is similar. Then 
Q = Ci[U{{Pi))] II C2[R II \b{U}.R]. We know that Tr(P) is over lab((7i) U lab(^) U 
lab(C2) U \ab{B) U {e} and by noticing that \ab{R \\ \b{U}. R) C \ab{B) and that because 
of the restrictions on £^ P3 cannot occur behind a prefix, then we can conclude that 
Tr(Q) G T{P}. □ 

Lemma |7.12 can be used to show that {Tr(P) | P G Deriv(5')} C Ts, for some set of 
processes S. Then, using Theorem 7.10| we can conclude that ^ is a wqo over it: 

Corollary 7.13. Let S be a set of £^ processes. Then, < is a wqo over Deriv(S'). O 

The next result states strong compatibility of ^ with respect to reductions of £'^. 

Theorem 7.14 (Strong Compatibility). Let P and Q be £^ processes such that P ^ Q. 
Then, P — > P' implies that there exists Q' such that Q — > Q' and P' ^ Q' . 

Proof. By a case analysis on the reduction P — > P' . It can be the result of either a 
input/output synchronization — through rules (Tau1)/(Tau2) — or an update synchroniza- 
tion — through rules (Tau3)/(Tau4)). In both cases, the reduction may be combined with 
uses of rule (Loc), (ActI), and (Act2). 

We consider these two kinds of synchronizations separately. Let n be a node with 
ancestor m, and let Tr(P) be a tree with root e. Below, when we say that n is replaced by 
Tr(P) we mean that: (i) e is merged with m; (ii) all children of e are added as siblings of 
n; and (iii) n itself is removed. 
Input/output synchronization: Then we have 

P = D[A,B] 



where D is a biadic context as in Definition 7.11, A is either la. Pi or '}2i<^i'^i-Qi with 
VT/ = a and Qi = Pi for some I G I, and B is either !a. P2 or X^ie/ '^i - with tt; = a and 
Rl = P2 , for some / G /. 

Consider the tree Tr(P), and let m and n be two of its nodes, labeled A and B, 
respectively. 

We first consider the modifications to Tr(P) when P — > P' . The tree Tr(P') is 
obtained from Tr(P) in the following way: 

(1) the node labeled A is replaced with Tr(Pi); 

(2) the node labeled B is replaced with Tr(P2). 

Since P ^ Q, the definition of ^ ensures that there exists a mapping / that associates 
nodes in Tr(P) to nodes in Tr{Q). In turn, this ensures the existence of a node /(m) in 
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Tr(Q) labeled A. It also ensures the existence of a node /(n) labeled B and which has a 
common ancestor with f{m). Hence, the reduction can take place in Q as well, and so 
Q — > Q' . Now, Tr((5') is obtained from Tr((5) by applying the same changes described 
above to the target nodes (of the input and the output) according to /. 

The last thing to show is P' ^ Q' , which follows by observing that the mapping 
between Tr(P') and Tr{Q') is necessarily the same mapping / between Tr(P) and Tr(Q), 
for all the nodes that have not been modified by the reduction and that there is a one- 
to-one correspondence for the other nodes, as the new trees Tr(Pi) and Tr(P2) are added 
to both Tr(P) and Tr(Q). Thus, Tr(P') Tr(Q')- 
Update synchronization: Then we have 

P = D[a[PilA] 

where D is a biadic context as in Definition 7.11 and A is either !a{P2}- R or ^jgj vTj. Qi 
with TTi = a{P2} and Qi = R for some I E / . Consider the tree Tr(P), and let m and n 
be two of its nodes, labeled A and a[] (with subtree Tr(Pi)), respectively. 

We first consider the modifications to Tr(P) when P — > P' . The tree Tr(P') is 
obtained from Tr(P) in the following way: 

(1) the node labeled A is replaced with Tr(i?); 

(2) as for the tree rooted in a[ ] (Tr(Pi)), it is replaced with Tr(P2 {{Pi)))- 

Since P ^ Q, the definition of ^ ensures that there exists a mapping / that associates 
nodes in Tr(P) to nodes in Tr{Q). In turn, this ensures the existence of a node f{m) 
in Tr{Q) labeled A. It also ensures the existence of a node /(n) labeled a[ ] and which 
has a common ancestor with f{m). Hence, the update synchronization above can take 
place in Q as well, and so Q — > Q' . Now, Tr((5') is obtained from Tr((5) by applying 
the same changes described above to the target nodes (of the adaptable process a and of 
the update in A) according to /. 

The last thing to show is that P' ^ Q' , which follows by observing that the mapping 
between Tr(P') and Tr[Q') is the same mapping / between Tr(P) and Tr(Q), for all the 
nodes that have not been modified by the reduction and that there is a correspondence 
one to one for the other nodes. More precisely: 

(1) Consider the label in node f{m): all nodes removed in Tr(P') have been removed in 
Tr((5'), hence nodes m and /(m) are still in relation. 

(2) Finally, we consider the two trees rooted in n and /(n), namely S = Tr(P2 {{Pi))) and 
T = Tr(P2 {{Qi)))i respectively. S is the same subtree as T apart from some subtrees 
of P2 and Q2 that can be put easily in relation as the subtrees Tr(Pi) and Tr(Qi) 
are in relation with /. 

Thus, Tr(P') Tr(g')- □ 



7.1.3. Step We now move on to characterize the set of predecessors of a given process 
(cf. Definition 5.3) by means of a finite basis (cf. Definition 5.6). Given a set S of processes, 
we are only interested in those predecessors whose tree is in T^. As it will be clear later on, 
S is intended to represent all processes in a cluster (cf. Definition 3.2). 

Definition 7.15. Let P and S be an process and a set of <fj processes, respectively. We 
define: 

Pred5(P) = {Q\Qe Pred{P), Tr(Q) G Ts]- 



30 



As we have seen, reductions in E originate only from synchronizations between input and 
output prefixes or from synchronizations between an adaptable process and a corresponding 
update prefix. Our characterization of Pred5(P) as a finite basis rehes, intuitively, on the 
formahzation of the "parts" of P that might have been involved in a reduction leading 
to P. We introduce the notion of syntactic context: it allows us to reason about the 
decompositions of P, which are useful to describe the subprocesses that have been involved 
in the reduction to P; such subprocesses may be contained in P or they can be found in S. 
In the latter case, we must appeal to parallel extensions of the syntactic context defining 
the given decomposition, as we give next: 

Definition 7.16 (Syntactic Contexts, Decompositions, Extensions). Syntactic contexts, 
ranged over K,K' , . . ., are defined by the following syntax: 

K ::= [•] I a[K] \ K \\ K \ P 



where P is as in Definition 2.3 using contexts as in Definition 2.6 (2). 

Given a process P, a syntactic context K, and processes R, we say that K[R] is a 
decomposition of P if P = K[R]. We assume processes R fill the holes in K preserving the 
order in which they appear. 

A parallel extension of X is a syntactic context with exactly two holes obtained in the 
following way: 

Ext{K) = {K, K \\ liKW [•] II [■]}nSC2 
where SC2 is the set of all syntactic contexts with exactly two holes. 

We move on to define the pred-basis function for processes; it is defined with respect 
to a set of processes S and noted pbs{-)- First, we present some intuitions and auxiliary 
definitions. Given a process P, the set pbs{P) represents the basis for the set t Pi'ed5(t P); 
in other words, it is a finite representation of those processes that reduce to P, up to ^, i.e., 
a basis for all those Q such that Q — >>z P- To this aim, we consider all the decompositions 
of P as for some syntactic context K and processes R, with \R\ < 2. There are finitely 

many such decompositions. The idea is to characterize a predecessor Q of P by suitably 
filling in the holes in (possibly an extension of) K so that the Q is such that Tr{Q) E Ts- 
Now, each K can have two, one, or even zero holes (as a process can be a decomposition 
of itself). In case \R\ < 2, the syntactic context must be extended so as to contain exactly 
two holes; this is defined by Ext{K) above. 

Let us analyze the possibilities for such an extended context. As we have seen, re- 
ductions in £^ arise from the synchronization of two complementary prefixes occurring (i) 
inside two sums, or (ii) one inside a sum and the other in a replicated process; or (iii) both 
prefixes in two replicated processes. For the sake of readability, and with a little abuse 
of notation, in the explanation below we use biadic contexts filled in with the interacting 
prefixes, rather than with the processes in which such prefixes occur. That is, we write 
D[a. P, f3. Q] rather than, e.g., D[a. P + M, \/3. Q]. There are six cases. If K has exactly two 
holes then it means that the reduction is "internal" to process P. That is, the reduction 
can be traced back by looking at subprocesses of P. Then P = K[Pi,P2] and no parallel 
extension is needed. There are two possible cases: 

(1) P is the result of an input /output synchronization and so its predecessors are of the 
form Q = K[a. Pi, a. P2], for some a G apn(S') and where a. Pi and a. P2 are processes 
in sub(5). 
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(2) P is the result of a synchronization between an update prefix and some corresponding 
adaptable process, and so its predecessors are of the form Q = K\a{Q'}. Pi, a[Q"]], 
where P2 = Q'{{Q")) and a G apn(S'). Also, process a{Q'}. Pi should belong to sub(S'). 
Moreover, depending on the number of holes in Q' there are two possible situations: (1) 
if \Q'\^ = then P2 = Q' and Q" can be any process in sub(5); (2) if |Q'|, > then Q" 
is taken in such a way that P2 = Q'{{Q"))- 

In case K has one hole only then we extend the context with a hole so as to accommodate 
some process not originally present in P. That is, P = K[Pi] and the reduction to P is 
characterized by the interaction between a prefix guarding subprocess Pi and some other 
subprocess external to P (cases (3) and (4) below) . It can also be the case that the reduction 
is an update synchronization leading to Pi (case (5)). We thus consider the extended context 
!)[•,•] = II [•]. There are three possible cases: 

(3) P is the result of an input/output synchronization, and so its predecessors are either of 
the form Q = D[a. Pi,a. Q2] or Q = D[a. Pi,a.Q2], for some a <E apn(5') and processes 
a. Pi and a. Q2 (a. Pi and a. Q2, respectively) belong to sub(S'). 

(4) P is the result of a synchronization between an update prefix guarding Pi and some 
corresponding adaptable process. Hence, for some a G apn(5), its predecessors are of 
the form Q = D[a{Q'}. Pi, a[Q"]], with processes a{Q'}. Pi and Q" in sub(5). 

(5) P is the result of a synchronization between an update prefix and some corresponding 
adaptable process, in such a way that their synchronization leads to Pi. This way, the 
predecessors of P are of the form Q = D\a{Q'}.Q2,a[Q"]] or Q = D[a[Q"],a{Q'}.Q2] 
where Pi = Q'{{Q")), for some a € apn(S'). Similarly as in case (2) above, process 
a{Q'}. Q2 should belong to sub(S'). Moreover, depending on the number of holes in Q' 
there are two possible situations: (1) if \Q'\, = then Pi = Q' and Q" can be any 
process in sub(S'); (2) if \Q'\, > then Q" is taken in such a way that Pi = Q'{{Q"))- 

The last case to consider is when K has no holes, i.e., the trivial decomposition of P as 
itself. Then -D [•,•]= P || [•] || [•] and we have: 

(6) P is the result of a synchronization between the subprocesses in the two added holes. 
That is, its predecessors are of one of the following: (1) Q = P || a. Pi || 0.^2 and (2) 
Q = P II a{Q'}. Ri II a[P2]- In both cases, a G apn(5') and the holes are filled in with 
processes in sub(5). 

Before giving the definition oi pbs{Q), we introduce an auxiliary notion. 

Definition 7.17. Let P be an £^ process. The set of update patterns occurring in P, 
denoted Upd(P), is inductively defined as follows: 

Upd(a{C/}.Q) = {?/} U Upd(C/) U Upd(Q) 

Upd(a[P]) = Upd(P) 

Upd(7r. P) = Upd(P) if TT = a or TT = a 

Upd(E^G7^i-^0 =Ue/Upd(7ri.C/i) 

UpdilTT.U) =Upd(7r.?7) 

Upd(?7i II U2) = Upd(C/i) U Upd(C/2) 

Upd(.) =0 

This definition extends to sets of processes as expected. 
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Definition 7.18 (Pred-basis). Let S be a set of £^ processes and P be an process such 
that Tr(P) G Ts- Given the set 

= sub(5) U {a[H] I a G apn(5), H G sub(5)} U 

{a[H] I R = U{{H)), ReR, U £ Upd(5), \U\, > 1} 

the pred-basis of P with respect to S, denoted pbs{P), is defined as the set: 

pbsiP) = U {Q\Q P, Q = D[G], D G Ext{K), G C g^j^] 

P=K[R\ 

We show that the well structured transition system given above has an effective pred-basis 



(cf. Definition 5.7) 



Theorem 7.19. Let P and S be a £^ process and a set of £^ processes, respectively. We 
then have that pbs{P) =t P''ed5(t P)- Moreover, pbs{-) is effective. 

Proof. The inclusion f pbs{P) Pi'sd5'(t P) follows by construction. We consider the 
other inclusion, i.e., t Preds(t P) '^t pbs{P)- Given some R Gt Predsd P), then we show 
that there is a Q G pbs{P) such that Q ^ R. As hinted at above, depending on the kind 
of reduction that can occur to reach process P we should consider six cases. Below, K, Ki 



and K2 are syntactic contexts as in Definition 7.16 



Reduction is "internal" to P. Then we have one of the following cases: 

(1) P is obtained as an input/output synchronization. Then, R = Ki[A,B] (or R = 
Ki[B,A\) where A is either \a.Qi or '^i^iT^i- Pi with iri = a and Pi = Qi for some 
I G I, and B is either \a. Q2 or X^ie/ with tt; = a and Ri = Q2 , for some / G /. 
There exists K2 such that P = K2[Qi, Q2] and R — >h P- Since R Gt Pred^d P) then 
A,B € 5ub{S) and we can conclude R h Q = K2[A, B] £ pbs{P). 

(2) if P is the result of an update of an adaptable process then 

R = Ki[A,a[Q"]] 

where A is either \a{Q'}.Qi or X]je/^«--^« with vr/ = a{Q'} and Ri = Qi for some 
I G /, and there exists K2 such that P = K2[Qi,Q2], R — >^ P where we have 
that Q2 = Q'iiQ")). If \Q'\, = then Q2 = Q' and as R Gt Pred5(t P) we have 
A,Q" G sub(S') and therefore Ry Q = K2[A,a[0]] G pbs{P). Otherwise if |Q'|, > 
then A G sub(5) and we can immediately conclude R ^ Q = K2[A, a[Q"] G pbs{P). 

Reduction partially present in P. Then we have one of the following cases: 

(3) if ii = Ki[A, B] (or R = Ki[B, A]) where A is either la. Qi or J2iei '^i- Pi ^^^^ t^i = a 
and Pi = Qi for some I G /, and B is either \a.Q2 or "^i^j T^i- Ri with tt; = a and 
Ri = Q2 , for some I G /. Then there exists K2 such that P = i^2[Qi] and R — >>z P- 
As A, B £ sub(5) (respectively o. Qi, a. Q2 G sub(S')) we can conclude R^ Q = K2[A] \\ 
B G pbsiP) (respectively Q = K2[B]\\ A). 

(4) if i? = a[Q2]] where A is either \a{Q'}.Qi or Yli&i'^i-Pi with vr^ = a{Q'} and 
Ri = Qi for some / G /. Then there exists K2 such that P = K2[Qi] and R — >>z P- 
As A G sub(5) then RyQ = K2[A] \\ a[0] G pbs{P). 
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(5) if i? = Ki[a[(5"],j4 where A is either \a{Q'}.Q2 or ^,;g/7rj.iij with tti = a{Q'} and 
Rl = Q2 for some I E /. Then there exists K2 such that P = Er2[(5i]) R — >^ P- If 
IQ'I^ = then Qi = Q', A e sub(S') and we can conclude Rh Q = K2[a[Q\] \\ A € 
pbs{P)- Otherwise if \Q'\, > then Qi = Q'{{Q")) and we can conclude R ^ Q = 
K2HQ"]] \\AGpbs{P). 

Reduction external to P. Then we have: 

(6) R = Ki[P,A,B] or R = Ki[P,C,a[Q3]] where A is either \a.Qi or Y^iei'^i-^i ^it^ 
TTi = a and Pi = Qi for some / € /, -B is either !a. Q2 or Yliei '^i- Pi with iri = a and 
Rl = Q2 , for some / G / and C is either !a{(5i}.Q2 or "^i- Pi with vr/ = a{Qi} 
and = for some I £ I. As all processes A, B, C, Q3 are taken from sub(S') we can 
conclude RhQ = P\\A\\B£ pbs{P) (respectively Q = P \\ C \\ alQs]). 

Moreover, the construction oi phs{Q) is effective. In particular, given a syntactic context 
there are finitely many ways of extending it with one or two holes so as to obtain a 



parallel extension D G Ext(i^'). In Definition 7.18, notice that when filling in the contexts 



with terms in G, both the set of sequential subprocesses and the ways of constructing an 
update pattern U are finite. This concludes the proof. D 

Theorem 7.20. Let S he a set of £j processes. (Deriv(S), — >,^) is a finitely branching, 
well-structured transition system with strong compatibility, decidable :<, and effective pred- 
basispbs- Hence, it is possible to compute a finite basis pb* o/Pred^(/) (and P'ce6'^{I)) for 
any upward-closed set I which is given via a finite basis. 



Proof. Follows from Proposition 5.8, using Remark 2.17, and Theorems 7.14 and 7.19 D 



7.1.4. Step (gp. Next, we define the basis of the set of processes that immediately exhibit 
a barb a. 

Definition 7.21. Let S and q be a set of £^ processes and a name a G {a, a \ a G A/"}, 
respectively. Then, we define: 

fba(S) = {Re sub(S) I Ria} 

Given an initial process P, a set of processes M, and a barb a, to determine whether BA 
is decidable, we check if there exists a process R G CSp such that i?J|^. It is sufficient to 
check if R appears in the set of the predecessors of the processes that can exhibit a at least 
k consecutive times. Since < imposes a well-quasi order on processes, it is enough to 



characterize the set of predecessors by means of its finite basis, as shown by Theorem 7.20 
More precisely, if A; = 1 then it is sufficient to check if R is in the set of predecessors of the 
processes in fbQ,(S'), where S = M U {P}. Otherwise, if > 1 then we need we need to 
check for the existence of processes i?i , . . . , Rk such that R — >* Ri — > . . . — > R^ , with 
Ri for i G [1. .k]. To do this, we proceed backwards. We begin by computing the finite 
basis fba(S'); process Rk should be in its upward closure. Then, we compute a finite basis 
for the set of processes in Preds(fba(S')) which exhibit a immediately; Rk-i should be in 
the upwa rd clo sure of this finite basis, which is constructed as fo llows . Notice by virtue of 
Theorem 



7.19 



we can rely on the pred-basis given by Definition 7.18 i.e., pbs[iba{S)) , in 
this case. We consider two classes of elements of pbs{fba{S)y. the first one is composed of 
those processes that can immediately perform a, while the second contains the rest. The 
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desired finite basis is obtained by taking the set of processes containing (i) every process 
in tlie first class and (ii) every Q in the second class (but with a minimal modification, 
with respect to the ordering in such a way it can exhibit a immediately). The latter is 



achieved by function /KdAsiQ) (^f- Definition 7.22) which "plugs" into every Q a process 
in fba(S') either in parallel at the top level or inside an adaptable process. This procedure 
iterates as expected; each iteration considers the predecessors of the elements of the finite 
basis obtained in the previous one. In the last step, in order to calculate all the predecessors 



of process Ri we apply Theorem 7.20, thus obtaining a finite basis pb* where it is sufficient 



to check whether R belongs to its upward closure. More formally: 

Definition 7.22. Let 5 be a set of processes. Given the following set definitions (with 



C being a monadic context as in Definition 7.11 ) 



Adds(g) = {Q\\R\Re B]^ {C[a[R \\ Qi\] \ Q = C[a[Qi]] , R e B} 
\h^iA,B) = {Q£A\Q A}U{AddB(Q) | Q e ^ and Q ^} 
we define the finite basis FBa,kiS) = pb* {Ba,k{S)) where k >1 and 

'fb„(S) ifk = l 

\ba (pbs {Ba,k-iiS)) , fbo (S)^ otherwise 



The effectiveness of fB^^k will allow us to prove the decidability of BA. 

Lemma 7.23. Let S be a set of £^ processes, and let a £ {a, a \ a £ Af}. Then, FBa^kiS) 
is effective. 

Proof. The effectiveness of the calculation of the finite basis of PredJ(-) follows from Theo- 
rem 7.20 The set lba(-, •) is finite and hence can be computed as defined above. Moreover, 
it is easy to see that it is a finite basis representing all the predecessors of fbQ,(5'), which in 
turn can immediately exhibit a. D 



7.1.5. Step We conclude by showing how to determine whether there exists a process 
R in CSp that exhibits a. Recall that Par(P) is the set of all processes and all adaptable 
processes in P which are in parallel at top level (see Definition 7.1). We can finally state: 

Theorem 7.24. BA is decidable for 

Proof. Let P and M = {Ti, . . . , T^} be an initial process and a set of £^ processes, respec- 
tively. In order to show that BA is decidable, it suffices to check that, given some a and 
k > 1, there exists a process R G CSp such that Ri^^. More precisely, letting S = {P}UM, 
we have to check if there exists a process Q £ FBa,k{S) such that Q ^ R. From Lemma 
7.23, we know that it is possible to compute the set fBa,k{S). Then, for each Qi £ FBa^kiS) 



we analyze the processes in Par{Qi) (cf. Definition 7.1 ). Let V be the set of the processes Q'j 
in Par{Qi) such that Q'j ^ T, for some T £ M. We now consider Q*, the process obtained 
by Qi by removing all the occurrences of the parallel processes in V. At this point, it is 
enough to check whether Q* ^ P. If this is the case, for at least one Qi £ fBa^k{S), then we 
can conclude that there exists R £ CSp such that -RJJ-^; otherwise there exists no ii G CSp 
such that i?J|^. □ 
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Control = !a. (/ || b \\ a) \\ a. a. {pi \\ e) \\ \h. (g. f \\ h) 



Register Vj 



m\2 



rj[Hncj. Uj \\ zj] if m = 

rj[\incj.Uj \\ YY^uJ \\ 'zj] if m > 0. 



Instructions (i : li) 
{{i : INC(rj))l2 = \pi.f.{g \\ b.incj_.p^) 
{{i : DECJ(rj-,s))]2= Ipi-f. {gj iuj.{b \\ kTT) 

+Zj.rj{rj[Hncj.u] \\ zj]}.p;)) 
{{i : HALT)]2 = Ipi. h. h. fo{ro[linco.Uo \\ Zo]}.ri{ri[Hnci.iPi \\ z^]}.pl 

Table 3: Encoding of MMs into £^ 

Note that the decidability result extends to as it is a subcalculus of Moreover, by 
virtue of Theorems 2.26 and 3.5, decidability of BA extends also to £g and . We have: 



Corollary 7.25. BA is decidable for £g , and £^ . □ 



7.2. Undecidability of Eventual Adaptation. Here we show that EA is undecidable 
in £^ by relating it to termination in MMs; this result carries over to £l, £^, and £^ — 
see Corollary |7.29 This relationship is obtained by defining an encoding tailored to the 
features of the property. In contrast to the encoding given in Section [6| the encoding 
presented here is non faithful as it may perform erroneous tests for zero on the registers 
(i.e. in the simulation of the MM a register is assumed to contain the value zero even if 
this is not the case). Nevertheless, we are able to define encodings that repeatedly simulate 
finite computations of the MM, and if the number of repeated simulations is infinite, then 
we have the guarantee that the number of erroneous steps is finite. Thus infinitely many of 
the performed simulations are correct. This way, the MM terminates iff its encoding has a 
non terminating computation. As during its execution the encoding continuously exhibits 
a barb on e, it then follows that EA is undecidable for £g processes. 

The encoding relies on finitely many output prefixes acting as resources on which in- 
structions of the MM depend in order to be executed. To repeatedly simulate finite runs of 
the MM, at the beginning of the simulation the encoding produces finitely many instances 
of these resources. When HALT is reached, the registers are reset, some of the consumed 
resources are restored, and a new simulation is restarted from the first instruction. In or- 
der to guarantee that an infinite computation of the encoding contains only finitely many 
erroneous jumps, finitely many instances of a second kind of resource (different from that 
required to execute instructions) are produced. Such a resource is consumed by incre- 
ment instructions and restored by decrement instructions. When the simulation performs 
a jump, the tested register is reset: if it was not empty (i.e., an erroneous test) then some 
resources are permanently lost. When the encoding runs out of resources, the simulation 
will eventually block as increment instructions can no longer be simulated. We make two 
non restrictive assumptions. First, we assume that a MM computation contains at least 
one increment instruction. Second, in order to avoid resource loss at the end of a correct 
simulation run, we assume that MM computations terminate with both the registers empty. 

We now discuss the encoding defined in Table [3j We first comment on Control, the 
process that manages the resources. It is composed of three processes in parallel. The first 
replicated process is able to produce an unbounded amount of processes / and 6, which 
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represent the two kinds of resources described above. The second process starts and stops 
a resource production phase by performing a and a, respectively. Then, it starts the MM 
simulation by emitting the program counter pi. The third process is used at the end of 
the simulation to restore some of the consumed resources / (that are transformed in g, see 
below). 

A register rj that stores number m is encoded as an adaptable process at rj containing 
m copies of the unit process u]. It also contains process Hncj.uJ which allows to create 
further copies of uj when an increment instruction is executed. Instructions are encoded 
as replicated processes guarded by pi. Once pi is consumed, increment and decrement 
instructions consume one of the resources /. If such a resource is available then it is 
renamed as g, otherwise the simulation blocks. The simulation of an increment instruction 
also consumes an instance of resource b. 

The encoding of a decrement- and-jump instruction is slightly more involved. It is 
implemented as a choice: the process can either perform a decrement and proceed with 
the next instruction, or to jump. In case the decrement can be executed (the input uj is 
performed) then a resource b is restored. The jump branch can be taken even if the register 
is not empty. In this case, the register is reset via an update that restores the initial state of 
the adaptable process at rj . Note that if the register was not empty, then some processes uJ 
are lost. Crucially, this causes a permanent loss of a corresponding amount of resources 6, as 
these are only restored when process uj are consumed during the simulation of a decrement. 

The simulation of the HALT instruction performs two tasks before restarting the exe- 
cution of the encoding by reproducing the program counter pi. The first one is to restore 
some of the consumed resources /: this is achieved by the third process of Control, which 
repeatedly consumes one instance of g and produces one instance of /. This process is 
started/stopped by executing the two prefixes h.h. The second task is to reset the registers 
by updating the adaptable processes at rj with their initial state. 

The full definition of the encoding is as follows. 
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Definition 7.26. Let be a MM, with registers ro, ri and instructions (1 : /i) . . . (n : /, 
Given the Control process and the encodings in Table [3, the encoding of N in (written 
lNj2) is defined as [ro = OI2 || {n = Ojs || nr=il(^ ■ Ii)h I Control. 

As discussed above, the encoding has an infinite sequence of simulation runs if and 
only if the corresponding MM terminates. As the barb e is continuously exposed during 
the computation (the process e is spawn with the initial program counter and is never 
consumed), we can conclude that a MM terminates if and only if its encoding does not 
eventually terminate the simulation runs. As during the simulation runs the barb e is 
always exhibited, this coincides with checking whether the encoding does not eventually 
adapt. 

Lemma 7.27. Let N be a MM. N terminates iif |A^l2C- 

Proof. See Appendix |C.l Page 58 □ 



Exploiting Lemma 7.27 and proceeding exactly as the proof of Theorem 6.3 for we 
can state the following. 

Theorem 7.28. EA is undecidable in □ 
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Control = la. (/ || b \\ a) \\ a. a. (pi \\ e) \\ \h. {g. f \\ h) 
Register rj 

hj =013 = rj [Regjj cj [0]] ^ 

with Regj = lincj. Cj{cj[»]}. ack. Uj. Cj{cj[»]}. ack 
Instructions (i : Ij) 

[(i : INC(rj))]3 = Ipi.f. {g \\ b.incj. ack.p^) 
{{i : DECJ(rj-, s))l3 = Ipi. f. [g \\ {uj.ack. {bj\ Pi^) + 

Cj{»}.rj{rj[Regj \\ Cj[»]]}.p;)) 
{{i : HALT)l3 = Ipi. h. h. co{»}.ro{ro[Rego \\ co[»]]}. 

ci{»} . ri{ri[Regi \\ ci[»]]}.pT 

Table 4: Encoding of MMs into 



Similarly as in that case, undecidability extends also to S^, £l and £\. This easily 



follows from the fact that is a subcalculus of £l and from Lemma 2.18, since [A^Im is a 
process in that does not contain any nested adaptable processes. 

Corollary 7.29. EA is undecidable in £^ , £\, and£^. □ 

Note that the encoding |-|2 uses processes that do not modify the topology of nested 
adaptable processes; update prefixes do not remove nor create adaptable processes: they 
simply remove the processes currently in the updated locations and replace them with the 
predefined initial content. One may wonder whether the ability to remove processes is 
necessary for the undecidability result: next we show that this is not the case. 



8. (Un) decidability Results for £^ 



8.1. Undecidability of Eventual Adaptation in £^. Here we prove that EA is unde- 
cidable for £^ processes. We obtain this result by means of a non-faithful encoding of MMs 
similar to the one presented before. 



In that encoding, Definition 7.26, process deletion was used to restore the initial state 
inside the adaptable processes representing the registers. In the absence of process deletion, 
we use a more involved technique based on the possibility of moving processes to a different 
context: processes to be removed are guarded by an update prefix c5{cj[»]} that simply 
tests for the presence of a parallel adaptable process at cj; when a process must be deleted, 
it is "collected" inside cj, thus disallowing the possibility to execute such an update prefix. 



The encoding is as in Definition 7.26, with registers and instructions as in Table |4j 



Definition 8.1. Let be a MM, with registers ro, ri and instructions (1 : Ii) . . . (n : /„). 
Given the Control process and the encodings in Table |4, the encoding of in £^ (written 
[A^la) is defined as [ro = Ola || {n = Oh II nr=il(^ ■ Control. 

A register rj that stores number m is encoded as an adaptable process at rj that 
contains m copies of the unit process uj. Cj{cj[»]}. ack. It also contains process Regj, which 
creates further copies of the unit process when an increment instruction is invoked, as well 
as the collector cj, which is used to store the processes to be removed. 
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An increment instruction adds an occurrence of Uj. Cj{cj[»]}. ack. Note that an output 
inc could synchronize with the corresponding input inside a cohected process. This imme- 
diately leads to deadlock as the containment induced by Cj prevents further interactions. 
The encoding of a decrement- and-jump instruction is implemented as a choice, following 
the idea discussed for the static case. If the process guesses that the register is zero then, 
before jumping to the given instruction, it proceeds at disabling its current content: this is 
done by (i) removing the boundary of the collector Cj leaving its content at the top-level, 
and (ii) updating the register placing its previous state in the collector. A decrement sim- 
ply consumes one occurrence of Uj. Cj{cj[»]}. ack. Note that as before the output uJ could 
synchronize with the corresponding input inside a collected process. Again, this immedi- 
ately leads to deadlock. The encoding of HALT exploits the same mechanism of collecting 
processes to simulate the reset of the registers. 

This encoding has the same properties of the one discussed for the static case. In fact, in 
an infinite simulation the collected processes are never involved, otherwise the computation 
would block. 

Lemma 8.2. Let N be a MM. N terminates iff [iV]MJJ-e • 



Proof. See Appendix \D7\] Page [63) □ 
allows to conclude that EA is undecidable for processes in The proof of 



Lemma 



8.2 



the following theorem proceeds as the proofs of Theorems 6.3 and 7.28 

Theorem 8.3. EA is undecidable in □ 

We can conclude that process deletion is not necessary for proving the undecidability 
of EA in iSj. Nevertheless, in the encoding in Table |4] we need to use the possibility to 
remove and create adaptable processes (namely, the collectors Cj are removed and then 
reproduced when the registers must be reset). One could therefore wonder whether EA is 
still undecidable if we remove from the possibility to remove processes. Next we show 
that this is not the case. 



8.2. Decidability of Eventual Adaptation in £g. We prove the decidability of EA in 
£g by resorting to Petri nets. Namely, we reduce the eventual adaptation problem for 
to the infinite visit problem (cf. Definition 5.12). 

Before formally defining the encoding of £g processes into Petri nets, we give some 
intuitions. The idea is to use the markings of the Petri net to represent the active sequen- 
tial subprocesses and the available adaptable processes. Transitions are used to model the 
execution of actions. More precisely, each active sequential subprocess is represented by 
one token. Two tokens corresponding to two sequential subprocesses able to execute com- 
plementary actions can fire a transition, whose effect is to produce tokens representing the 
two continuations. As for update actions, they are represented by transitions that consume 
(at least) two tokens: one token corresponding to the process executing the update and 
another token representing the adaptable process target of the update operations. In order 
to ensure that update actions take place between processes which are in parallel, we keep 
track of the adaptable processes in which a process is included: we do so by decorating its 
place with a list of outer adaptable processes. Intuitively, this list represents the "address" 
of a single adaptable process within the nested structure of adaptable processes. 

We now present some auxiliary notations required by the definition. Let P be a process 
of £^ and M = {Pi , . . . , P„} be a set of processes of £g. It is not restrictive to assume that all 
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the update actions on a given adaptable process can be executed: even if the static semantics 
decrees that update actions should satisfy conditions on the nesting structure of adaptable 



processes, Theorem 2.26 ensures the existence of an £^ process with the same behavior for 
which such conditions are always true. Let Vseq{P, M) be the set of sequential subprocesses 
in P, Pi, . . . , P„ and let A{P, M) be the set of location names nestings, i.e. strings composed 
of names of nested locations, starting from the outermost adaptable process, occurring in 
one of the processes P, Pi, . . . , P^. We use cr, 6 to range over strings in A{P, M), and write 
aa for the string obtained from concatenating a and a. 

Definition 8.4. Let P and M = {Pi, . . . , P„} be processes. Its associated Petri net is 
defined as the triple 

PN(P,M) = (Places(P,M),Trans(P,M),lnit(P)) 

where 

• Places(P,M) = {(P,cr) | P G ^^^^(P, M), a E ^(P, M)} U ^(P, M) U {start, 50}, with 
start and go being two distinguished auxiliary places. 

• Trans(P, M) contains all the instances of the transition schemata reported in Table [s] over 
the set of places Places(P, M). 

• Init(P) = dec£(P) l±) {start}, with deCo-(P) defined inductively as follows: 

dec„(a[P]) = dec^a(P) W {aa] 
dec^(P II P') = dec^{P) W dec^(P') 
deC(j(P) = {(P, cr)} otherwise 
where e corresponds to the empty string and tt) denotes multiset union. 

We now describe the Petri net computation by giving intuitions on the transitions presented 
in Table [5] The initial marking includes one token in the place start plus the tokens 
corresponding to the active sequential subprocesses of P. The token in start allows to 
generate an arbitrary amount of copies of the processes Pi, . . . ,Pn € M (Transition (1)). 
This is simply achieved by considering n transitions, such that the i-th transition tests for 
the presence of the token in start and then produces the sequential subprocesses of Pj. 
Nondeterministically, the token is moved from start to go (Transition (2)). At this point, 
the simulation of the evolution of the generated configuration is started. As described 
above, synchronizations between complementary actions are modeled by transitions that 
consume the tokens corresponding to the two synchronizing processes and then produce the 
sequential subprocesses in the continuations. Transitions (3)-(5) cover the different cases in 
which an input / output synchronization can arise (namely, interaction between two guarded 
processes, between a replicated processes and a guarded process, and between two replicated 
processes), while Transitions (6)-(9) cover the cases in which a synchronization corresponds 
to an update action. In the latter kind of transitions, we need to check the availability of 
a target adaptable process, but this adaptable process should not enclose the updating 
process (as in, e.g., a\a{U} \\ P]). More precisely, suppose there is a process Q executing an 
update action on name a, and let a be the string of the names of the adaptable processes 
enclosing Q. The availability of a target adaptable process can be checked by verifying the 
presence of a token in a place 6a which is not a prefix of a (see Transitions (6) and (8)). 
If 6a is a prefix of a, then the adaptable process at 6a could enclose Q. In such a case, 
it is sufficient to check that the place 6a contains at least two tokens, thus indicating the 
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(1) {start} =^ {start} tt) deCe{Pi) with Pi £ M 

(2) {start} =^ {go} 

(3) {go,{J2i(,iTri-Ai,a),{J2j^jPj.Bj,9)}^{go}iSdec^iAi)iSdece{B^) 
if TTi = a and Pm = o- (for I £ I, m £ J) 

(4) {go,{l7r.A,a),{EjejPj-Bj,0)}^ 

{go, (Ivr. ^, a)} W dec^(.4) W dece(B„) 
if vr = a (resp. a) and pm = a (resp. a) (for m G J) 

(5) {5o,(!vr.A<T),(!p.i?,0)}^ 

{go, (Ivr. ^, cj), (!p. B, 9)} W dec^(A) W deceiBm) 
if TT = a (resp. a) and p = a (resp. a) 

(6) {50, {J2iei ^i- M ^ 

{go} W dec^(A) W d^ce(A) W decea(C/) W {0a} 
if 9a is not a prefix of o", vr^ = a{a[[/] || A} (for Z € /) 

(7) {50, (EjG/^«-^*'^)'^«'^'^} ^ 

{50} tt) dec^(y4/) tt) deQ(A) tt) decea(f^) W {6*0, M 
if 0a is a prefix of a, vr/ = a{a[[/] || yl} (for / G /) 

(8) {go,{\^.A\a),9a}^ 

{go, (!vr. a)} tt) dec<^(A') tt) deQ(A) tt) 6&cea{U) tt) {(9a} 
if 0a is not a prefix of o", vr = a{a[C/] || ^4} 

(9) {50, (Ivr. ^',(7), 0a, 0a} ^ 

{go, (!vr. A', a)} tt) dec<^(A') tt) deQ(A) tt) decea(C/) tt) {0a, 0a} 
if 0a is a prefix of a, vr = a{a[[/] || A} 

Table 5: Transition schemata for the Petri net representation of £^ processes in Defini- 
tion [Ml 



existence of a different adaptable process with the same path but that does not enclose Q 
(see Transitions (7) and (9)). 

We now state the correspondence between processes and their associated Petri net. 

Lemma 8.5. Let P he a process of £g, and M be the set {Pi,-- - , Pn} and (Places(P, 



M), Trans(P, M), Init(P)) be their associated Petri net, as in Definition 8.4 Then, given 
a marking m, we have Init(P) — ?■* {start} tt) m — ?■ {go} ^ m iff m = deCe(P), for some 
R G CSl^. 

Proof. Follows by construction of the Petri net. D 

Lemma 8.6. Let P and (Places(P, 0), Trans(P, 0), Init(P)) be an £^ process and its associ- 
ated Petri net, as in Definition \8.4\ Then we have: 

P^P' iffdeCeiP) W {go} ^ dec,(P') W {go}. 
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Proof. See Appendix |D.2 Page 68 □ 

The decidability of EA for Eg follows from the decidability of the existence of a suffix of 
an infinite computation composed of markings with at least one token in some given places. 

Theorem 8.7. Let P be a process ofS^, and let M be the set {Pi,-- - ,Pn} of processes 
of Consider S = Subst(P) U Subst(Pi) U - -- U Subst(Pn), and let P' = \PYs and 
M' = - - - , [Pnlsl- Let a be a barb. We have that P and M satisfies EA for the 

barb a iff the Petri net 

(Places(P',M'),Trans(P',M'),lnit(P')) 

has an infinite computation with a suffix composed of markings with one token in go and 
with at least one token in one of the places (Xlie/ "u^ith tti = a for some I ^ I, or 
{\a.A,9). 



Proof. Suppose that P and M satisfies EA fo r th e barb a then there exists a process R G 
CSp such that P-I|q. Following from Lemma 8.5 there exists an initial computation of the 



Petri net that reaches the marking dec£(P) tt) {go}. Then following from Lemma 8.6 there 
exists an infinite computation with a suffix composed of markings with at least one token 
in one of the places (X^ie/ ^i^li tt; = a for some I G I, or {\a.A,6). Notice that 
in all of these markings, the place go contains one token. 

Similarly if there exists an infinite computation with a suffix composed of markings 
with one token in go and at least one token in one of the places (X^jg/ ttj. Ai, 9), with tt/ = a 
for some / G /, or {\a. A, 9) then for Lemma 8.5 and Lemma |8.6| we know that there exists 
a process R G CSp such that PJ|^. □ 

The check of the existence of an infinite computation with a suffix composed of markings 
with one token in go and with at least one token in some given places corresponds to the 



infinite visit problem (Definition 5.12). Thus since this problem is decidable (Theorem 5.13) 
it follows that EA is decidable in Si. 



9. Related Work and Discussion 

We now comment on the origin and motivations for the constructs of £ , review some related 
works, describe a modeling technique derived from BA and EA, and discuss variants of the 
adaptation problems considered here. 

9.1. On the Constructs for Evolvability. The origins of the £ calculus can be traced 
back to our own previous work on expressiveness and decidability results for core higher- 
order process calculi (see, e.g., [IHl [23 E2] ) • Below, we overview these previous works, and 
discuss the motivations that led us from higher-order communication to adaptable processes. 

Higher-order (or process-passing) concurrency is often presented as an alternative par- 
adigm to the first-order (or name-passing) concurrency of the 7r-calculus for the description 
of mobile systems. As in the A-calculus, higher-order process calculi involve term instan- 
tiation: a computational step results in the instantiation of a variable with a term, which 
is copied as many times as there are occurrences of the variable. The basic operators of 
these calculi are usually those of CCS: parallel composition, input and output prefix, and 
restriction. Replication and recursion can be encoded. Proposals of higher-order process 
calculi include the higher-order vr-calculus [57j, Homer [33], and Kell [59] . 



42 



With the purpose of investigating expressiveness and decidabihty issues in the higher- 
order paradigm, a core higher-order process calculus, called HOCORE, was introduced |40j . 
HOCORE is minimal, in that only the operators strictly necessary to obtain higher-order 
communications are retained. Most notably, HocORE has no restriction operator. Thus 
all names are global, and dynamic creation of new names is impossible. The grammar of 
HocORE processes is: 

P ::= a{x).P \ a{P) | P || P | a; | 

An input process a{x).P can receive on name a a process to be substituted in the place 
of X in the body P; an output message a{P) sends the output object P on o; parallel 
composition allows processes to interact. As in CCS, in HocORE processes evolve from the 
interaction of complementary actions; this way, e.g., 

a(P) II a{x).Q ^Q{P/x} 

is a sample reduction. (See \4:0\ I52j for complete accounts on the theory of HocORE.) 

While considerably expressive, HocORE is far from a specification language for settings 
involving (forms of) higher-order communication. For instance, it lacks primitives for de- 
scribing the localities into which distributed systems are typically abstracted. Similarly, 
HocORE also lacks constructs for expressing forms of evolvability and/or dynamic recon- 
figuration. In order to deal with these aspects, higher-order process calculi such as Homer 
and Kell provide mechanisms that allow to suspend running processes. Such mechanisms 
rely on a form of named localities for processes, so called suspension (or passivation) units. 
Inside a suspension unit, a process may execute and freely interact with their environment, 
but it may also be stopped at any time. More precisely, let us consider the extension of 
HocORE with process suspension. Let a[P] denote the process P inside the suspension unit 
a. Assuming an LTS with actions of the form P P', the semantics of suspension is 
formalized by the following two rules: 

'^p X (SO-) 

a[P] ^ a[P'] « 

where a(P) corresponds to the output action in the LTS of HocORE (see [40j). While rule 
(Trans) defines the transparency of suspension units, rule (SuSP) implements suspension: 
the current state of a located process is "frozen" as an output action, in which it can no 
longer evolve. Hence, in this semantics input prefixes may interact not only with output 
actions but also with suspension units; in fact, suspension of a running process is assimilated 
to regular process communication. As a simple example, consider the following process S: 

S 4 a[P] II a{Q) II a{x).R 

It is easy to see that two possible evolutions for S are S' = a[P] \\ R{Q/x} and 5" = a{Q) \\ 
R{P/x}. Other evolutions, related to the behavior of P, are also possible. While the se- 
mantics for suspension just described allows for a straightforward definition, we observe two 
potential drawbacks: First, the dual role of input prefixes induces a form of non determin- 
ism that one may regard as unnatural. Consider a{x). R in S above: in the first evolution, 
it acts as a communication endpoint, whereas in the second it acts as a suspension realizer. 
Second, such a semantics is only possible for calculi which already feature process passing in 
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communications. That is, the possibihty of suspending/reconfigm'ing processes at runtime 
is somehow tied to the calculus being higher-order. 

With these drawbacks in mind, in the definition of E we have opted for a different 
approach: we do not assume higher-order communication, and rely instead on a restricted 
form of term instantiation for defining update actions. That is, we exploit a very particular 
form of higher-order interaction to define process suspension for calculi which may well 
be first-order. Here, in order to focus on the novel features of adaptable processes, we 
have considered a variant of CCS. Moreover, as we elaborate below, update in E can be 
seen as objective rather than as subjective: an adaptable process may evolve independently 
until it is updated by a prefix in its surrounding context. Furthermore, by featuring up- 
date prefixes a{U} — a dedicated construct for representing the runtime reconfiguration of 
located processes — £ enforces a separation of concerns, which allows to distinguish inter- 
action/communication from actions of dynamic reconfiguration. We believe these are all 
reasonable design choices, which allow us to focus on the fundamental aspects of evolvability 
for concurrent processes. In fact, they could provide a basis for developing new formalisms 
with adaptation concerns, such as, e.g., an adaptable extension of the vr-calculus or a variant 
of S with the nested locations of Homer. 

9.2. Related Work. We have already discussed related works from the point of view of 
proof techniques in the Introduction. Below, we comment on some languages/formalisms 
related to £. 

Loosely related to £ are process calculi for fault tolerance (see, e.g., [91 [50l [561 131]). 
These are variants of the vr-calculus tailored for describing algorithms on distributed sys- 
tems; hence, they include explicit notions of sites/locations, network, and failures. A series 
of extensions to the asynchronous vr-calculus so as to model distributed algorithms is pro- 
posed in |9|. One such extensions, aimed at representing process failure, is a higher-order 
operation that defines savepoints: process save(-P). Q defines the savepoint P for the current 
location; if such a location crashes, then it will be restarted with state P. A value-passing 
calculus to represent and formalize algorithms of distributed consensus is introduced in [50j; 
it includes a failure detector construct S{k). P which executes P if locality k is suspected to 
have failed. The partial failure languages of \56\ [3T] feature similar constructs; such works 
aim at developing bisimulation-based proof techniques for distributed algorithms. Crucially, 
in the constructs for failure proposed in the above works (savepoints, failure detectors), the 
post-failure behavior is defined statically, and does not depend on some runtime behavior. 
Hence, as discussed in Section |4j these constructs are easily representable in £. None of 
the above works addresses adaptation properties related to failures nor studies decidabil- 
ity/expressiveness issues for the languages they work on. 

£ relies on transparent localities as a way of structuring communicating processes for 
update purposes. The hierarchies induced by transparent localities are rather weak; this 
is in contrast to process hierarchies in calculi such as Ambients pO| or Seal [22]. The 
ambients in the Ambient calculus represent administrative domains and act as containers 
of concurrent processes. Ambients may be dissolved using the open primitive; transparent 
localities can only be eliminated in £^ by an explicit synchronization with a suitable update 
prefix. Movement across the ambient hierarchy is achieved via the in/out primitives; it is 
said to be subjective rather than objective, as ambients move themselves and are not moved 
by their context. Adapting this distinction to our setting, it is fair to say that £ features a 
form of objective update, as an adaptable process does not contain information on its future 
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update actions: it evolves autonomously until it is updated by a suitable update prefix 
in its context. A fundamental difference of Ambients with respect to higher-order process 
calculi is that movement is linear: it is not possible to duplicate an ambient through its 
movement. This aspect is one of the main differences between Ambients and Seal, in which 
process duplication is possible. A main design guideline in Seal is security; in fact, it is 
intended as a calculus of sealed objects. Within the hierarchy of seals, only parent/child 
communication is allowed, thus establishing a noticeable difference with respect to the 
hierarchies of transparent localities in £ . 

A suspension- like construct is at the heart of MECo [58j, a model for evolvable com- 
ponents. It is defined as a process calculus in which components feature a hierarchical 
structure, rich input/output interfaces, as well as channel communication. Evolvability in 
MECo is enforced by a suspension-like construct that stops a component and extracts its 
"skeleton". Because of its focus on components, adaptation in MECo is mostly concerned 
about consistent changes in input/output interfaces; in our case, adaptation is defined in 
terms of some distinguished observables of the system, thus constituting a rather general 
way of characterizing correctness. COMP |42j is another process calculus for component 
models. It is intended to be the component model for the ABS modeling language; as such, 
it aims at providing a unified definition of evolvability for objects, components, and runtime 
modifications of programs. In COMP, constructs for evolvability are based on the movement 
primitives of the Ambient calculus rather than on suspension-based constructs, as in £ and 
MECo. Hence, the semantics of reconfiguration in Comp is quite different from that in £ , 
which prevents more detailed comparisons. 

In a broader setting, related to £ are formalisms for the specification of (dynamic) 
software architectures. While some of them are based on process calculi, none of them 
relies on suspension-like constructs to formalize evolution/adaptation. Below we review 
some of them; we refer the reader to |13[ [TH [5^1 l^j for more extensive reviews. 

One of the earliest proposals for formal grounds to dynamic architectures is where 
a formal system for architectural components which relies on (a fragment of) Hoare's CSP 
is introduced. The approach in |4J, however, does not consider dynamic architectures. Dar- 
win [33] is an Architecture Description Language (ADL) for distributed systems; it aims at 
describing the structure of static and dynamic component architectures which may evolve 
at runtime. The focus is then on the bindings of interacting components; the operational 
semantics of Darwin relies on a vr-calculus model for handling such bindings. Darwin fea- 
tures a mechanism of dynamic instantiation which allows arbitrary changes in the system 
architecture. Associated techniques for analyzing dynamic change in Darwin have been 
proposed in \38\ I37j . In comparison to £ , the kind of changes possible in Darwin con- 
cern the system topology rather than the "state" of the interconnected entities, as in our 
case. vr-ADL |51| is an ADL for dynamic and mobile architectures. Formally defined as 
a typed variant of the higher-order vr-calculus, vr-ADL focuses on a combination of struc- 
tural and behavioral perspectives: while the former describes the architecture in terms of 
components, connectors, and their configurations, the latter describes it in terms of ac- 
tions and behaviors. vr-ADL is at the heart of Arch Ware- ADL \i8\ [6], a layered ADL for 
active architectures. Arch Ware- ADL complements vr-ADL with a style layer that allows 
the specification of components and connectors, and with an analysis layer which enables 
the specification of constraints on the styles. In contrast to £ , vr-ADL does not offer any 
construct for supporting system evolvability. In fact, while Arch Ware- ADL supports forms 
of evolution (via mechanisms for stopping running programs and decomposing them into 

45 



its main constituents) these are not provided by the formal framework of vr-ADL but by 
technologies on top of it [49j. Pilar [25l [Ml [23] is an algebraic, reflective ADL. Reflection 
in Pilar (defined as the capability of a system to reason and act upon itself) relies on the 
notion of reification which, roughly speaking, relates between entities in different levels of 
a specification for defining introspection capabilities. The semantic foundation of Pilar is a 
first-order, polymorphic typed variant of the vr-calculus; no constructs for dynamic update 
such as those in E are included in Pilar. 

We conclude this review by mentioning other works on formal approaches to dynamic 
update [32l [Til ESI [Ml [IS]- They all rely on different approaches from ours. 

In |32j . an investigation on on-line software version change is presented. There, an 
on-line change is said to be valid if the updated program eventually exhibits behavior of 
the new version. The problem of determining validity of an on-line change is shown to 
be undecidable by relating it to the halting problem. The study in [32], however, limits 
to restricted instances of imperative languages. Moreover, the notion of validity says very 
little about correctness and adaptation. A formal model for adaptation in asynchronous 
programs in distributed systems is introduced in [TT]. Programs are expressed as guarded 
commands, and represented as automata; adaptation can be then described as transforming 
one automaton to another automaton. The focus of [TT] is the verification of the behavior 
of system during adaptation, considering the interaction between the new program and 
the old one. The use of graph rewriting/category theory to formalize software architecture 
reconfiguration has been studied in [62]. In ^Q\, the update calculus, a typed A-calculus 
with a primitive operation for updating modules, is proposed. A development of this idea 
was carried out in |61j . where a calculus for dynamic update in typed, imperative languages 
is proposed. There, the focus is on type-safe updates — intuitively, the consistent update 
of type r with some new type r'. There is no knowledge about future software updates; 
type coercions mechanisms are then used to recast new (in principle, unknown) types to 
old types. In contrast, in our case "update code" is defined in advance. In fact, this is a 
conceptual difference between update (as in works such as [6T]) and dynamic adaptation, 
as we have considered it here. A framework for structural component reconfiguration with 
behavioral adaptation considerations is introduced in [19], where component architectures 
are given by nets of interacting components represented by LTSs. Notice that the concept of 
"behavioral adaptation" in [19] is different from our notion of adaptation. The former refers 
to the changes required in component interfaces so as to achieve effective compositions. 
Instead, our notion of adaptation concerns a higher abstraction level, as we address the 
evolution of running processes through built-it adaptation mechanisms. 

9.3. Applying the Verification Problems. In the examples given in Section [4j both BA 
and EA were used to check whether a process can reach a state without errors. In general, 
however, one may be interested in both solving errors and preserving the correct behavior of 
the system. In particular, one could be interested in checking whether certain states of the 
systems are still reachable after correcting an error. We now discuss a modeling technique 
which allows us to express such a property as an instance of the BA and EA problems. The 
key idea is to extend the given system with parallel behaviors, defined in accordance with 
the observable events associated to errors and adaptation in the system. 

We illustrate the technique by considering the particular case of the EA problem; the 
use of the BA problem is analogous. We consider a system abstracted as a process P, with 
the following observable actions: 
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(i) a - which signals that the system has reached the state we are interested in; 

(ii) e7 ~ which is emitted as soon as the system enters in an error phase; 

(iii) ej - which signals that the error has been corrected. 

We define a process P* as an extension of P with parallel behaviors which, roughly speaking, 
"complement" the above actions. Intuitively, by checking whether for such a P* and a barb 
e property EA is satisfied, then we will be able to guarantee that after having corrected an 
error in P the distinguished state signaled by a is still reachable. Process P* is defined as 
follows: 

P* = P II c II !c. a. c II eg. (e + c. (e + ej. (e + a. c))) 
Above, we assume that c and e do not occur in P. In P* , we can identify four parts: the 
process P which is kept unchanged; process C = Ic.a.c, which is used to check that the 
state signaled by a has been reached; process c, which is used to spawn the first copy of a; 
finally, we have process R = e^. (e + c. (e + ej. (e + a. c))). 

We explain the behavior of P* . When P enters in an error phase (as signaled by e^), a 
synchronization takes place and R reaches the process Ri = e + c. (e + ej. (e + a. c)). This 
is the first point in which barb e becomes available; the only way to satisfy the EA property 
is to make e disappear. Then, process Ri synchronizes with c, as this is the only possible 
evolution, thus obtaining R2 = e + e/. (e + a. c). Notice that at this point the process P 
cannot evolve by consuming a, as the occurrence of a in the process C is guarded by a prefix 
c, and no copy of c is available. In R2, barb e is available again and the process can evolve 
only when P corrects the error (i.e., when an action ej is observed). As soon as the error 
phase is completed, P can synchronize on ej, thus reaching the process Rs = e + a.c. In 
i?3, barb e will finally disappear as soon as the system P performs again action a. 

Clearly, the specific definition of P* will depend on the features of the given P. Still, the 
above example is already useful to illustrate how the two verification problems introduced in 
the paper can provide a suitable basis for reasoning about non-trivial properties of evolvable 
systems which may depend on the observables of the system under consideration. 



9.4. Variants of the Correctness Properties. In this presentation, we have studied 
correctness of adaptable processes from a rather general perspective; in fact, the defini- 
tion of BA and EA are based only on minimal observations on the behavior of the system. 
This allows us to reason about the interplay between correctness and adaptation for di- 
verse classes of concurrent systems. More informative properties (relating correctness and 
the structure of the system, for instance) can be devised according to the nature of some 
particular setting. 

In this context, it is worth noticing that the technical machinery required for our 
(un) decidability results can be adapted to handle a slightly different definition of the adap- 



tation problems stated in Definition 3.3 More precisely, such problems can be relaxed so as 



to consider non consecutive error occurrences, rather than consecutive ones. For this pur- 



pose, we modify the notion of barbs (cf. Definition 3.1) by admitting an arbitrary number 
of reductions between the actual error barbs: 

Definition 9.1 (Barbs - Alternative Definition). Let P be an £" process, and let a be an 
action in {a, a \ a £ M}. 

• Given A; > 0, we write PJJ-^ iff there exist Qi, ■ ■ ■ ,Qk such that P — >* Qi — >* . . . — >•* 
Qk with Qi for every i £ {1, . . . , k}. 
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• We write -PJJ-^ iff there exists an infinite computation P — >* Qi — >* Q2 — >* ■ ■ ■ with 
Qi la for every i S N. 

Furthermore, we use ^ and ^ to denote the negation of-IJ-^ and-IJ-^, with the expected 
meaning. 

Variants of EA and BA can be then restated considering the new definition above. Thus, 
given a set of clusters CS^ and a barb e then the BA problems consists in checking whether 
all computations of processes in CS^ have at most k states exhibiting e. Similarly, EA con- 
sists in checking whether there is no computation in which e is observable in infinitely many 
distinct states. Given these alternative definitions of EA and BA, (un) decidability results 
can be easily derived from the ones presented here. In fact, Table [T] remains unchanged 
under the alternative adaptation problems, and straightforwardly all undecidability results 
hold. As for the decidability results, we should adapt the WSTS construction and the 
Petri net simulation. In particular, to show decidability of the alternative definition of BA 



for E'^ processes, it is enough to slightly change the definition of ^ha{S) (Definition 7.22) 
and substituting the occurrences of pbs with Pred^ whose effectiveness is guaranteed by 
Theorem 



7.20 



in Section 8.2 



Concerning the decidability of EA for if^, the Petri net semantics presented 
reduces this alternative version of the property to the repeated coverability 



problem. This problem is known to be decidable for Petri nets, see e.g. |28j . 



10. Concluding Remarks 

We have proposed the concept of adaptable process as a way of describing complex evolv- 
ability patterns in models of concurrent systems. We have introduced £ , a process calculus 
of adaptable processes, in which located processes can be updated and relocated at runtime. 
In our view, this ability improves the kind of reconfiguration that can be expressed in exist- 
ing (higher-order) process calculi. In the design of if , we aimed at isolating a small basis for 
representing reconfiguration of interacting processes: we extended CCS without restriction 
and relabeling (a non Turing complete model), with transparent localities (arguably the 
simplest conceivable way of structuring processes into hierarchies) and with update pre- 
fixes. The interaction of adaptable processes with update prefixes constitutes a restricted 
form of higher-order communication that realizes process reconfiguration. 

In order to formalize the correctness of evolvable processes, we proposed the bounded 
and eventual adaptation problems. We studied the (un) decidability of these problems in 
several variants off, obtained by different evolvability patterns as well as static and dynamic 
topologies of adaptable processes. Our results shed light on the expressive power of £ as 
well as on the nature of verification for concurrent processes that may evolve at runtime. 

There are a number of practical and technical issues associated to adaptable processes 
that would be worth investigating in future work. 

• We would like to understand how to accommodate (a form of) restriction into £ while 
preserving our decidability results. This is a delicate issue, as typically adding restriction 
causes decidability results to break (see, e.g, [18]). Recently, higher-order calculi with 
name creation (which replaces usual name restriction) have been put forward |5^; a 
creationist treatment of names is claimed to be closer to distributed implementations and 
is shown to have benefits in the development of associated behavioral theories. Exploring 
variants of £ with a name creation construct could be therefore insightful. 
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• In the definition of eventual adaptation we require the absence of computations with 
infinitely many successive error states. It would be interesting to investigate the impact 
of fairness on our results, in particular the decidability result for In fact, the detected 
computation with infinitely many successive error state could be unfair, in the sense that 
a parallel process or thread able to solve the problem is available but never scheduled. In 
several concurrent models, properties like the existence of an infinite computation turn 
from decidable to undecidable when restricting to fair computations (see [21] for Petri 
nets or ^64j for CGF, a stochastic CCS-like process calculus for the modeling of chemical 
systems). As a future work we intend to check whether a similar result applies also to 
our case. 

• It would be interesting to study the behavioral theory of £ processes; recent works on 
behavioral equivalences for higher-order process calculi with passivation (e.g. |4H [531 
\5^) could provide a reasonable starting point. Also, it would be important to devise 
(logic-based) techniques for enhancing the verification of adaptable processes; in recent 
work [16j, we have studied an alternative for tacking this challenging issue. 

• From a practical standpoint, it would be interesting to develop extensions or variants of 
£ tailored to concrete application settings, to determine how the adaptation problems 
proposed here fit in such scenarios, and to study how to transfer our decidability results 
to such richer languages. For instance, it would be interesting to see how our adaptation 
problems fit in the context of higher-order calculi such as Kell and Homer, which feature 
rich constructs for structuring processes (kells in Kell, nested locations in Homer). 

• Finally, it would be useful to address the complexity of BA and EA. As far as EA is con- 
cerned, we have presented its (polynomial) reduction to the Petri net place boundedness 
problem, for which an EXPSPACE decision procedure exists [SS]. Concerning BA, our 
proof of decidability does not give a precise indication about the complexity, as only the 
termination of the procedure is guaranteed by the well quasi-ordering we have defined. 
We plan to investigate the complexity of the problem by comparing BA to the coverability 
problem for reset Petri nets which is known to be non primitive recursive (see, e.g., |60j). 
In fact, the possibility of atomically erasing the current contents of an adaptable process 
is reminiscent of the ability that reset transitions have for removing all the tokens in 
some given place. Hence, a plausible direction of future work is to investigate suitable 
abstractions that could help alleviating the state explosion problem. 
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Appendix A. Proofs from Section [2] 



A.l. Proof of Lemma 2.20. We need the following auxiliary definitions. 



Definition A.l. Given two £ processes in normal form P and Q, we define St(P || Q) as 
follows. The root is labeled e, and has n -\- m children: the first n sub-children correspond 
to the children of the root of St(P), while the rest correspond to the m children of the root 

of st(g), 



Proposition A. 2 (Syntactic Closure for processes). Let Pi,P2, 

(1) Pi,P2G£s iff Pi \\P2(^£s- 

(2) Pes, iffa[P]e£,. 

(3) Pi G and \Pi\,^ = for i € [1. . n] iff Eti ^i- P ^ ^s- 

(4) Pes, and \P\,^ = iff iTT. Pes,. 



be S processes. 



Proof. Immediate from Definitions 2.4 and 2.12 In particular, items (3) and (4) follow by 

belongs to the syntactic category A in 

□ 



observing that any process P such that |P| 



ap 



the grammar of S, processes given in Definition 2.4 



We repeat the statement in Page 12 

Lemma A. 3. Let P be an S, process. If P — > P' then also P' is an S, process. Moreover, 
St(P) = St(P')- 

Proof. The proof proceeds by induction on the height of the derivation tree for P — > P' , 
with a case analysis on the last applied rule. There are seven cases to check. 
Case (Actl): Then P = Pi \\ P2 and P' = P[ \\ P2, with Pi — > P[. By inductive 
hypothesis, we have that P{ is an S, process. By Proposition A.2| we have that P2 e S,, 
and we can therefore conclude that P' = P[ \\ P2 is an S, process. 

Moreover, by inductive hypothesis, we have that St(Pi) = St(P{) and by Defini- 
it is easy to see that St(Pi || P2) = St(P{ || P2) holds. 



tion 



2.10 



Case (Act2): Analogous to the case for (ActI) and omitted. 
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Case (Loc): Then P = a[Q] and P' = a[Q'], with Q — > Q' . By mductive hypothesis, 
we have that Q' is an £g process. For Proposition |A.2 we have that P' = a[Q'] is an £g 
process. 

Moreover, by inductive hypothesis, we have that St{Q) = St{Q'). Then, it is immediate 
to see that by Definition [2T0]St(a[Q]) = St(a[Q']). 
Cases (Taul)-(Tau2): Then P = Ci[A] \\ C2[B], where Ci,C2 are monadic contexts as 
in Definition 7.11 Moreover, A is either lb. Q or J^ie/ ^« with tt; = 6, for some / G /, 
and B is either !6. R or X^jgj vTj. Ri with iri = b, for some I E I. 

We consider only the case in which A = X^ig/ Qi ^ ~ other cases are 

W. R] and from Proposition A. 2 we easily conclude 



ColR 



similar. Then P' = Ci[Qi 
that P' is an process. 

By assumption and by Proposition |A.2 we have that A and B are £g processes. In 
turn, this allows us to infer that St(^^gj vTj. Qi) = St(Q;) and St(!6. R) = St{R), as well- 
formed £g processes do not contain adaptable processes behind prefixes, and therefore 
their component structure denotations are unaffected by input/output transitions. The 
thesis then follows by Definition [2T0} St(P) = St(P')- 
Cases (Tau3)-(Tau4): Then P = Ci[A] \\ C2[B] where: 

• Ci,C2 are monadic contexts, as in Definition |7. 11 

• A = b[Pi], for some Pi; 

• B = Y^iei^i-^i with TTi = b{b[U] \\ P2} for I e I, or B 

P2,R. 

We consider the case in which B = \b{b[U] 
P' = Ci[a[U{{Pi))] II P2] II C2[R II (b{b[U] \\ P2}.R]. For Proposition 
C2[R II II P2}.R] and P2 are Sg processes. We now focus on process U{{Pi 

we know that Pi is an process, if |C/|ph 



\b{b[U] II P2}.R, for some 

P2}.R; the other cas e is s imilar. Then 

we have that 



A.2 



for Proposition 



A.2 



then it could not 



occur that an adaptable process in Pi is prefixed. Otherwise, if |[/|pf^ > then the side 
condition (2) of rule (Tau3)((Tau4)) ensures that |Pi|ap = 0. As U follows the syntax 
of £g by means of Proposition A.2 we can conclude that U ((Pi)) G Sg- 
Moreover, the side condition (1) of rule (Tau3)((Tau4)) implies that 

St(6[Pi]) = St(a[[/((Pi))] II P2). 

The thesis then fohows by Definition [2lo{ St(P) = St(P'). □ 



A.2. Proof of Theorem 2.26, We divide the proof into two lemmas. We need some 
auxiliary results. 



Proposition A. 4. Let Pi and P2 be 8g processes. Then Subst(Pi 

Subst(P2). 



Subst(Pi) U 

□ 



Proof. Immediate from the definition of Subst(-) (cf. Definition 2.21). 

Lemma A. 5. Let P be an Eg process. Also, let S be a set of containme nt str ucture deno- 
tations, such that Subst(P) ^ S. Given the encoding |[-]|^ in Definition 2.2J^, if P — >s P' 
then IPYs ->d iP'Ys- 

Proof. By induction on the height of the derivation tree for P — fg P', with a case analysis 
on the last applied rule. There are seven cases to check. 
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Case (Actl): Then P = Pi || P2 and P' = P{ \\ P2, with Pi — 
hypothesis, we have that [Pijf, — >d [P^^, with Subst(-Pi) ^ 5". 



P{. By inductive 
Now, since [[-J^ is 



defin ed as an homomorphism with respect to parallel composition, and using Proposition 
we can immediately infer that [Pi 



A.4 



ml 



have that IQ} 
immediately infer that [[a[(5]l^^ 



2.21 



we 



>d IP[ II P2rs, with S' U Subst(P2) C S, 

as wanted. 

Case (Act2): Analogous to the case for (ActI) and omitted. 

Case (Loc): Then P = a[Q] and P' = a[(5'], with Q — > Q' . By inducti ve hy pot hesis, we 

Subst(Q) C S'. From Definitions [2 24| and 
05 HQTs, With S' U St(a[Q]) C S. 
Cases (Taul)-(Tau2): Then P = Ci[A] \\ C2[B], where 

• Ci , C2 are monadic contexts as in Definition |7.11 

• A is either Ib.Q or X^jgj vTj. Qi with ni 

• B is either !6. R or X^ie/ with ni 
We consider only the case in which A 

CilQ 



are similar. Then, P' 



that the reduction from P is preserved in [PJ^: 



b, for some / G /; 
b, for some I G I. 

!6. R] . Using Definitions 



\b. R; the other cases 
and 



2.24 



7.11 



we verify 



ml 



lCi[Y,n.Qi] ||C2[!6.P]li with Subst(P) c S 



= icifs[^7T,.mi] II ic^fs 

lei 

At this point, it is immediate to infer a reduction 



mi 



ml ml II ml 



VLRjl 



!6. ml 



— >d on b: 

mlw m 



which is easily seen to correspond to [P'lc, as wanted. 



05' 

Cases (Tau3)-(Tau4): Then P = Ci[A] \\ C2[B] where: 

• Ci,C2 are monadic contexts, as in Definition |7. 11 

• A = b[Pi], for some Pi; 

• B = Y^iei^i-^^ with TTi = b{b[U] \\ A2} for I £ I, or B 
A2,R. 

• cond(C/, Pi) holds 

We consider only the case in which B = lb{b[U] \\ ^2}- R', the other case is similar. Then, 



Hb[U] II P2}-R, for some 



P' = Ci[a[U{{Pi))] II A2] II C2[P II R]. Since cond([/,Pi) holds, we rely on Lemma |2. 18 
to determine the possible cases for U and Pi : each of them entails a different encoding 
of [PJ^. Consequently, we verify that in each case the actions that lead to reduction in 
P are preserved in |IP]|5. 

(a) |;7|, = A St(Pi) = St{U). Then, using the definition of we have 

mi = ici[b[Pi]] \\c2[\b{b[u] II A2}.R]rs 
= miiibmi] II mimm w ^2}.i?ii] 
= icirsHiPifs]] II mi\\K{K[mi] w i^2ii}.Mi 
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At this point, it is immediate to infer a reduction — >^ on k: 



iciVskniims] II miKPi))] II milmi w m 



ml 



iMs II ml ml II M< 



p" 



which is easily seen to correspond to [[-P'15, as desired. 



(b) |;7|, = 1 A If/lgp = A {\U\p^^ > ^ IQI^p = 0). There are two subcases: 

(Kjlase |?7|pp| > 0: Then, similarly as in the previous case, using the definition of 

>d on name Kfe. 



^1 we can infer a reduction 



(2) Case |C/|ph = 0. Then, using the definition of [[-J^, we have 
ml = [Ci[6[Pi]] II C2[\b{b[U] II A2}.R]rs 

= icirsiibmi] II miiimu] w A2}.Rrs] 
= icifsinMPifs]] w mil n 



with Ki 



\>?i{K,[ml] II iMl}-iR}l 

Lp{b[Pi]). At this point, it is immediate to infer a reduction 



>d on 



ml 



mrs[*]{i-Murs] w mim))/.} \\ mi\ml w m 



mi[{^j[imi] 



miKPi)) 



ml ml II ml 



IMl 



ml ml II ml 



p" 



which is easily seen to correspond to [-P'le, as desired. 



(c) \u\,>l^\u\ 
of HI 



OAlQl, 



ap I lap 

we can infer a reduction 



0. Then, similarly as in case 1(a), using the definition 
"rf on name k;,. □ 



Lemma A. 6. Let P he an process. Also, let S be a set of contai nment structure denota- 
tions, such that Subst(-P) Q S. Given the encoding l-jl in Definition 2.24, ^flPjl mil 
then P P' ■ 

Proof. By induction on the height of the derivation tree for P — >(i P' , with a case analysis 
on the last applied rule. There are seven cases to check. The analysis of all cases mirrors 
the one detailed in the proof of Lemma A. 5, and we omit it. The crucial point is the fact 
that the encoding uses the special name err to rename those update prefixes that may lead 
to incorrect reductions in £g. Hence, adaptable processes included in the £^ process IP}I 
will be unable to interact with those "error" update prefixes. This ensures that for every 
reduction — >d there is also a reduction — >s- D 



We repeat the statement in Page 15 



Theorem A. 7 (|2.26|). Let P be an £g process. Also, let S be a set of containment structure 



denotations, such that Subst(i-*) C 5*. Then we have: 

P^s P' if and onlyiflPfs 



Proof. Immediate from Lemmas A. 5 and A. 6 



□ 
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Appendix B. Proofs from Section [6] 



B.l. Proof of Lemma 

and soundness (Lemma 
into 



6.2 



B.3 



The proof relies on two results: completeness (Lemma B.2) 



We begin by defining the encoding of MM configuration 



Definition B.l. Let be a MM with registers rj (j £ {0,1}) and instructions (1 : 
/i), . . . , (n : /„). The encoding of a configuration (i,mo,mi) of A^, denoted |(i, mo, mi)|i, 
is defined as: 

n 

Pi II N = moll II In = II Yll{i : 

i=l 

where the encodings {rj = rujji and |(i : . . . , |(n : In)}i are as in Table [2| 

Lemma B.2 (Completeness). Let {i,mQ,mi) be a configuration of a MM N. 

(1) If {i, mo, mi) — >M {i' ,mQ,m'i) then, for some process P, it holds that 
|(i,mo,mi)|i — >* P= |(i',m'o,m'i)]i. 

(2) If {i, mo, mi) -^u then [(z, mo, m,i)]i J^^ 

Proof. 

(1) We proceed by a case analysis on the instruction performed by the Minsky machine. 
Hence, we distinguish three cases corresponding to the behaviors associated to rules 
M-Inc, M-Dec, and M-Jmp. Without loss of generality, we restrict our analysis to 
operations on register ro- 

Case M-Inc: We have a Minsky configuration {i,mo,mi) with (i : INC(ro)). By 



Definition B.l, its encoding into £^ is as follows: 

[(i,mo,mi)]i = p~i II |ro = mo]i || [n = miji || 

[(i : INC(ro))li II n 

l=l..n,l^i 

After consuming the program counter pi we have the following 

[(i,mo,mi)]i — > ro[(\ mo |)o] || fo{ro[u^.»]}.pI^ \\ S = Pi 

where S = {ri = mi]i || IliLiK^ ■ stands for the rest of the system. The only 
reduction possible at this point is the synchronization on ro, which allows the update 
of the adaptable process at ro: 

-Pi — > ro[ud- d rno |)o] || || S = P2 • 

By the encoding of numbers, it P2 can be equivalently written as 

ro[<\ mo + l Do] II II S 

and so it is easy to see that P2 = [(i + 1, mo + 1, mi)]i, as desired. 
Case M-Dec: We have a Minsky configuration (z,c, mi) such that (i : DEC(ro,s)) and 



c > 0. By Definition B.l, its encoding into £^ is as follows: 
[(i,c,mi)]i = II |ro = cji II |ri = mill II 

[(i:DEC(ro,s))li II J] ^l)h 



l=l..n,l^i 
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We begin by consuming the program counter pi, which leaves the content of |(i : 
DEC(ro, s))]i exposed. Using the encoding of numbers we have the following: 

|(i,c,mi)]i — > ro[u^.(\ c - I |)o] II (uo-Pm + ^^o- ^{''ol^ll-Pl) \\ S = Pi 

where S = {ri = miji || Oj'LiK^ ■ stands for the rest of the system. Notice that 
only reduction possible at this point is the synchronization on uq, which signals the 
fact we are performing a decrement instruction. After this synchronization we have 

Pi — > ro[(\c-l Do] II II S 
= I(i + l,c-l,mi)]i 

as desired. 

Case M-Jmp: We have a Minsky configuration (i,0,mi) and (i : DEC(ro,s)). By 
Definition B.l, its encoding into £^ is as follows: 

l(«,0,mi)li = |^|||ro = Oli II [ri=mili II 

I(i:DEC(ro,s))li|| J] ^ • 

l=l..n,lj^i 

We begin by consuming the program counter pi, which leaves the content of |(i : 
DEC(ro,s))]i exposed. Using the encoding of numbers we have the following: 

l(i,0,mi)]i — > ro[z^] \\ (uQ.p^ + ^q. n){ro[zf^]}.pl) || 5" = Pi 

where S = {ri = miji || HILiK^ • stands for the rest of the system. In Pi, the 
only reduction possible is through a synchronization on zq, which signals the fact we 
are performing a jump. Such a synchronization, in turn, enables an update action 
on tq. We then have: 

-Pi — > ro[0] II fo{ro[zi^]}.p; \\ S 
— > ro[z^] II II S" 
= l(s,0,mi)li 

as desired. 

(2) We have a Minsky configuration (i, mo, ?7ii) with (i : HALT). By Definition B.l, its 
encoding into £^ is as follows: 

|(i,mo,mi)]i = Pi II |ro = moli || [n = mji 

II [(z : HALT)Ii II [] {{l : Ii)h 

1=1. .n, Ij^i 

= p~i II \pi. (e + pl) \\ S = Pq 

where S = {rQ = mo]i || [n = mi]i || 0^=1 n ij^iW • ^i)}i stands for the part of the 
system that is not able to interact. It is easy to see that Pq J|g. In fact, by synchronizing 
on Pi and choosing the left-hand side process in the binary sum, we have Pq — )--^. The 
thesis is easily seen to hold by observing that by releasing new copies of the encoding 
of (i : HALT), one always reaches a derivative Pj of Pq such that Pj JJ-g. D 
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Lemma B.3 (Soundness). Let (i,mo,mi) be a configuration of a MM N . 
// mo, — > Pi then either: 

(1) For every computation of Pi there exists a Pj such that 

Pi^*P, = I(i',m'o,m;)li 

and {i,mo,mi) — >m {i' ,n^Q,n^i); or 

(2) Piij-^ and {i,mo,mi) ^m- 

Proof. Consider the reduction l(i, tuq, mi)Ji — > Pi. An analysis of the structure of process 
[(i,mo,mi)]i reveals that, in all cases, the only possibility for the first step corresponds to 
the consumption of the program counter pi. This implies that there exists an instruction 
labeled with i, that can be executed from the configuration {i,mo,mi). We proceed by a 
case analysis on the possible instruction, considering also the fact that the register on which 
the instruction acts can hold a value equal or greater than zero. 

In the cases in which (i : INC(rj)) or (i : DEC(rj, s)), it can be shown that computation 
evolves deterministically until reaching a process in which a new program counter (that is, 
some Pi/) appears. The program counter pii is always inside a process that corresponds to 
[(i', rriQ, m'^)]i, where {i,mo,mi) — >m {i' ,^o,^'i)- That is, for the cases {i : INC(rj)) and 
(z : DEC(rj,s)), we have that Item (1) above holds. The detailed analysis follows the same 



lines as the one reported for the proof of Lemma B.2, and we omit it. 

In the case in which (z : HALT), we have that Item (2) holds. In order to see this, it 
suffices to observe that if N does not terminate (more precisely: if N does not reach a 
program counter associated to a HALT instruction) then |A^]i does not have a barb on e. In 
fact, by a simple inspection on the encodings in Table [2] we can deduce that e only appears 
in the encoding of halt instructions, and does not occur in the encodings of increment and 
decrement-and-jump instructions. Hence, a barb on e can only be observed when Pi is the 
result of triggering a halt instruction. □ 

We are now ready to repeat the statement of Lemma |6.2[ in Page [25} 



Lemma B.4 (6.2). Let N be a MM andk>l. N terminates iff [A^liJJ-e- 



Proof. It follows directly from Lemmas B.2 and B.3 D 



Appendix C. Proofs from Section [7] 
C.l. Proof of Lemma |7.27| , The proof relies on two auxiliary results: completeness 



(Lemma C.5 ) and soundness (Lemma C.6 ) . Completeness relies on the auxiliary Lemma C.3 
We first introduce the notion of encoding of a MM configuration into £g. Notice that it 
in addition to the encodings of registers and instructions, it includes a number of resources 
/ and b which are always available during the execution of the machine: 

Definition C.l. Let be a MM with registers rj (j G {0, 1}) and instructions (1 : 
/i),. . . ,{n : Ln). The encoding of a configuration (z,mo,mi) of A^, denoted |(z,mo,mi)]2, 
is defined as: 

n 

PiWeW [ro = mol2 || In = mi]2 || JJK^ ■ I^)h II C^"'^'^^ 

i=l 

where 
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• C<"''5'^) = fWU^b II n'' g II !«• (/ II b II a) II Ih. (g. f\\h), with a, /3, 7 > 

• the encodings [r^ = mjj2 and |(i : /j)]2, • • • , |(?^ : -^n)l2 are as in Table [sj 

Notice that C^"'^'^"^ abstracts the evolution of process Control in Table [sj and the 
resources that it produces and maintains (namely, a copies of /, (3 copies of 6, and 7 copies 
of 5). 

Remark C.2. As we have discussed, the presence of copies of / is required for the execution 
of increment and decrement-and-jump instructions. In their absence, the encoding of the 
MM would reach a deadlocked state. Such outputs are produced at the beginning of the 
execution of the encoding of a MM, by means of a replicated process. In the proofs below, 
we assume that the initialization of the encoding always produces enough copies of / so as 
to ensure the existence of a correct simulation of the machine. That is to say, we assume 
that the absence of copies of / is not a possible source of deadlocks. 

We prove that given a MM there exists a computation of process |A^]2 which correctly 
mimics its behavior. 

Lemma C.3. Let {i,mQ,mi) be a configuration of a MM N. 

(1) If (i, mo, nil) — ''M (i' j^o^Tri'i) then, for some process P, it holds that 

I(i,mo,mi)]2 — >* P= l{i',mQ,m[)j2 

(2) If {i, mo, nil) then mo, m.i)]2 4^. 

Proof. 



(1) We proceed by a case analysis on the instruction performed by the Minsky machine. 
Hence, we distinguish three cases corresponding to the behaviors associated to rules 
M-Inc, M-Dec, and M-Jmp. Without loss of generality, we restrict our analysis to 
operations on register tq. 

Case M-Inc: We have a Minsky configuration {i,mQ,mi) with (i : INC(ro)). By 
Definition C.l its encoding into £^ is as follows: 

|(i,mo,mi)]|2 = Pi II e II [ro = mol2 II In = -n^ib II 

\p.,.f.{g\\b.i^o.Wn)\\ n l{l--m2\\C^"'^'''^ 

l=l..n,ly^i 

We then have: 

[(i,mo,mi)l2 e \\ [ro = moh \\ /• {g \\ b.i^o-IH^) II C^"''''^^ || S = P 

where S = {ri = mi]2 || nr=il(^ • -^012 stands for the rest of the system. Starting 
from P, a possible sequence of reductions is the following: 

P ^ e II [ro = mol2 || b.Jn^o-IHTI II || S 

mo 

= e II ro[\inco.uo \\ II ^] II b.incQ.pi+i \\ C^°'~^'^'"'~^^'^ \\ S 

— > e II rQ[\incQ.UQ II JJ^io II zq] \\ incQ.pi^ \\ C'("-i./3-i.7+i) || g 

mo+l 



e II ro[!mco. uq 



n no II ^] II KTT II C<"-i'/^-W> \\s = P' 
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It is easy to see that P' = |(i + 1, mo + 1, mi)]2, as desired. Observe how the number 
of resources changes: in the first reduction, a copy of / is consumed, and a copy 
of g is released in its place. Notice that we are assuming that /3 > 0, that is, that 
there is at least one copy of b. In fact, since the instruction only takes place after a 
synchronization on b (i.e., the second reduction above) the presence of at least one 
copy of b in C^°'~^'^''^^^'^ is essential to avoid deadlocks. 
Case M-Dec: We have a Minsky configuration {i,mQ,mi) with mo > and {i : 



DEC(ro,s)). By Definition C.l, its encoding into £g is as follows: 

{{i, mo, mi)]2 = PI II e II |ro = moja || [n = mi]2 || 

bi-f- {a II (^^0- {b II Pi+i) + zo.fo{ro[\inco.iM) \\ z^]}.p;)) 

II n : ^/)i2 II 

l=l..n,l^i 

We then have: 

|(i,mo,mi)]2 — >= /. {g \\ [uq. (b \\ p^) + zo.ro{ro[linco.u^ \\ zo]}-Pl)) 
II e II |ro = mol2 || || ^ = -P 

where S = {ri = mi]2 || nr=il(^ ■ ^')l2 stands for the rest of the system. Starting 
from P, a possible sequence of reductions is the following: 

P — > uq. (b II + zo.fo{ro[Unco.uo \\ zo]}.p^ \\ 

e II [ro = mol2 || C<^-''^'^+'^ \\ S 

= Uq. (b II + zo.ro{ro[linco.u^ \\ z^]}-P^ \\ 

mo 

e II ro[!mco.^I^ II H ^] H || 5 = P' 

mo-l 

^ II e II ro[!mco.^I^ II J] ^ H ^] H C^"-''^+^'^+^^ \\ S = P" 

It is easy to see that P' = |(i + 1, mo — 1, mi)]2, as desired. Observe how in the last 
reduction the presence of at least a copy of uq in ro is fundamental for releasing both 
an extra copy of b and the trigger for the next instruction. 
Case M-Jmp: We have a Minsky configuration (i,0,mi) and (i : DEC(ro,s)). By 



Definition C.l its encoding into is as follows: 



|(z,0,mi)]2 = Pi II e II [ro = 0]2 || {n = mi]2 || 

^■Pi-f- {g II {uQ-ib II + 2;o-n){ro[!inco.uo || z^]}.ps)) 

II n : ^oi2 II 

l=l..n,l^i 

We then have: 

|(f,0,mi)]]2 — >= f. [g II {uq. (b \\ pl^) + zo.ro{ro[Hnco.u^ \\ 
II e II Iro = mol2 || || 5 = P 
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where S = {ri = mi]2 || HILiK^ • h)}2 stands for the rest of the system. Starting 
from P, a possible sequence of reductions is the following: 

P — > uq. {b \\pi^) + zo.ro{ro[linco.lM) \\z^]}.p^ \\ 
e II [ro = 0]2 II C7<"-i'/3,7+i> || 5 
= uq. {b II pi^) + zo.ro{ro[linco.lM) \\ z^]}.p^ \\ 

e II ro[linco.u^ \\ z^] \\ 0^^-^'^'^+-^^ \\ S 
— > ro{ro[\inco.uo \\ zo]}-Pl II e || ro[linco.uo] II C<""^''^''^+^^ || 5 
ro[\inco.u^\\ z^] || pi || e || C7<°-1'/^'T+i) || 5 = P' 

It is easy to see that P' = [(s, 0, mi)] 2, as desired. Observe how the number of copies 
of b remains invariant when the MM is correctly simulated. 



(2) If {i,mQ,mi) -^m then i corresponds to the HALT instruction. Then, by Definition C.l 
its encoding into is as follows: 

|(i,mo,mi)]2 = Pi II e II [ro = mo]2 II [n = mi]2 II 

Ipi.h. h. fo{rQ[\inco.uo \\ zo]}.fi{ri[Hnci.W \\ zi]}.pi \\ 

l=l..n,lj^i 

We then have: 

|(z,mo,mi)]2 — >= 7i./i.r^{ro[!mco.M^^ II z;^]}.fi{ri[!mci.uT II zr]}.pr II 

e II [ro = mol2 || C^""'^''^ \\S = P 

where S = [ri = mi]2 || HILiK^ • ^i)}2 stands for the rest of the system. Starting from 
P, a possible sequence of reductions is the following: 

P — >* r^{ro[!mco.u^^ II ^]}.ri{ri[!mci.ul II zl]}.pl II 

e II [ro = mol2 || C<°+^'^'^-^> II ^ = ^1 

where the output on /i in P interacted with process SO as to replace c outputs 

on g with c outputs on /. After that, a synchronization on h took place between the 
evolutions of C<"'^'T> and of P. We now have: 

Pi e II [ro = OI2 II [ri = mi]2 

n 

r~i{ri[!mci.nT II ^ll-Pl || HW : I^h \\ C^^+^'^'T"^) 

1=1 

n 

e II [ro = OI2 II [ri = OI2 || W \\ HW : Ii)h \\ 

1=1 

which corresponds to [(1,0,0)]2. In turn, it can be seen that mo, mi)]2-IJ-^. □ 

Remark C.4. It is instructive to identify the exact point in which an erroneous compu- 
tation can be made when mimicking the behavior of a decrement-and-jump instruction. 
Consider again the process P', as analyzed in the case M-Dec above: 

P' = lio. (6 II Pi+T) + ^o-ro{ro[!inco.W II ^]}-Pl II 

mo 

e II ro[!mco.n^ II J]^ II ^] II || S 
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where S = {ri = mi]2 || nr=i[(' • -^')l2 stands for the rest of the system. Above, we 
analyzed the correct computation from P' , namely a synchronizatfon on uq: 

P' Pm II e II ro[!mco.n^ II J] ^ H ^] H C^^-^'^+i'-^+i) || S = P" 

with P" = \{i + l,mo — l,m-i)]2. The erroneous computation takes place when there is a 
synchronization on zq, rather than on uq. We then have: 

P' — > rQ{rQ[\incQ.u^\\z^]}.p~s\\e\\ 

mo 

ro[!mco.n^|in^] II C<°~i'^'^+i) || 5 

Pi II e II ro[!mco.u^ II z^] \\ C<°-^'^'T+i> || S = P'" 

with P'" = 0, mi)]2. The side effect of the above erroneous computation can be seen on 
the number of copies of h that remain after the (erroneous) synchronization on zq. In fact, 
while a correct computation (as P" above) increases in one the number of such copies, in an 
incorrect computation (as P'" above) the number of copies of b remains invariant. Notice 
also that copies of h can be only produced at the beginning of the execution of the encoding 
of the MM. This is significant since, as discussed at the end of the case M-Inc, the number 
of copies of h has a direct influence on potential deadlocks of the encoding of a MM. 

Lemma C.5 (Completeness). Let N he a MM, if N terminates then |A^]2JJ-e • 

Proof. Recall that is said to terminate if there exists a computation 

(1,0,0) -^l, (/i,0,0) 



such that {h : HALT). Lemma C.3 guarantees the existence of a process P such that 
[(1,0,0)]2 — >* P = |(/i,0,0)]2, with P -U-i^. This ensures that every time that the en- 
coding of reaches HALT the simulation is restarted. Therefore, termination of A^ ensures 
that |A^]2 has an infinite computation: since the encoding always exhibits barb e, we can 
conclude that [A^]2-il-e • □ 

Lemma C.6 (Soundness). Let N be a MM. If N does not terminate then |A^]2^^- 

Proof. It is enough to prove that if A^ does not terminate (that is, if A^ does not reach 
a HALT instruction) then all the computations of [A^]2 are finite. Since the encoding can 
mimic the behavior of A^ both correctly and incorrectly, we have two possible cases: 

(1) In the first case, the simulation of |A^]2 is correct and no erroneous steps are introduced. 
Notice that at every instruction an output on / is consumed permanently: these copies 
of / are only recreated when invoking a HALT instruction, which converts every g into a 
/. Since a HALT instruction is never reached, new copies of / are never recreated, and 
the computation of process |A^]2 has necessarily to be finite. 

(2) In the second case, the simulation is not correct and one or more wrong guesses oc- 
curred in the simulation of a decrement- and-jump instruction. Here, in addition to the 
possibility of deadlocks described in Item (1) above, erroneous computations constitute 



another source of deadlocks. In fact, as detailed in Remark C.4 for each one of such 
wrong guesses a copy of b is permanently lost. An arbitrary number of wrong guesses 
may thus lead to a state in which there are no outputs on b. As discussed at the end 



of the case of the M-Inc in the proof of Lemma C.3 the encoding of an increment 



instruction reaches a deadlock if a copy of b is not available. This means that wrong 
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guesses in simulating a decrement- and-jump instruction may induce deadlocks when 
simulating an increment instruction. 

Hence, as all the computations of [A^j2 are finite, therefore [A^|2 barb e cannot be exposed 
an infinite number of times. □ 

We are now ready to repeat the statement of Lemma |7.27[ in Page 37 



Lemma C.7 (7.27). Let N be a MM. N terminates iff IiV]2JJ-e • 



Proof. It follows directly from Lemmas C.5 and C.6 



□ 



Appendix D. Proofs from Section | 



D.l. Proof of Lemma 8.2, The proof relies on two results: completeness (Lemma D.3) 
and soundness (Lemma D.4). The proof is very similar to the one presented for the case 
of f^, and considerations concerning the handling of resources (i.e., process Control) are 



exactly the same. Hence, Remarks C.2 and C.4 are valid also in this proof 



We first introduce the notion of encoding of a MM configuration into 

Definition D.l. Let be a MM with registers rj (j € {0, 1}) and instructions (1 : 
/i), . . . ,{n : In). The encoding of a configuration (z,mo,mi) of N, denoted |(«,mo,mi)]3, 
is defined as: 

n 

K II e II [ro = mol3 || In = mils || JJK^ ■ ^Ola II 

i=l 

where 

, c(",l3,^) 4|f]-["J II Y[l^l II YYTg II la. (J II b II a) II lh.{g.J\\ h), with a,/3,7 > 0; 
• l{i : /i)l3, . . . , I(n : /„)l3 are as in Table g 

TTijls stands for ^^[P^™^ Uj \\ Regj \\ Cj[G^^^]] with 
Regj = lincj . Cj{cj[»]} . ack. Uj . Cj{cj[»]} . ack (as in Table |4]) 

- Uj '= Uj .Cj{cj[»]}. ack 

-Gf'^'Reg.W U' U, 

Similarly as before, in addition to the encodings of registers and instructions, the encoding 
of a MM configuration includes a number of resources / and b which are always available 
during the execution of the machine. These are represented by process 

(^(a,/3,7>^ which 

abstracts the evolution of process Control in Table [4j and the resources that it produces 
and maintains (namely, a copies of /, /3 copies of b, and 7 copies of g). In addition, the 
encoding of register j in £^ includes a "garbage" process cj^^ representing residual processes 
which are accumulated during the execution of the encoding; as we will see, every interaction 
with such a garbage process will result into a deadlocked process. 

We prove that given a MM N there exists a computation of process {NJ^ which correctly 
mimics its behavior. We remind that Remark C.2| applies to this case too. 



Lemma D.2. Let {i,mQ,mi) be a configuration of a MM N . 
(1) If {i,mQ,mi) — >M (i' ,mQ,m'^) then, for some process P, it holds that 

[(z,mo,mi)]3 — >* P= [(i',mo,mi)|3 
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(2) If {i, mo, mi) -^m then |(«, mo, mi)l34i^. 
Proof. 



(1) We proceed by a case analysis on the instruction performed by the Minsky machine. 
Hence, we distinguish three cases corresponding to the behaviors associated to rules 
M-Inc, M-Dec, and M-Jmp. Without loss of generality, we restrict our analysis to 
operations on register tq. 

Case M-Inc: We have a Minsky configuration {i,mo,mi) with {i : INC(ro)). By 
Definition 



D.l 



its encoding into £^ is as follows: 
(i,mo,mi)|3 = Pi II e II [ro = mo]3 II In = mils II II 

n I(^^^^)l3 



\pi.f. {g II b.inco.ack.pi+i) 



l=l..n,l=^i 

We then have: [(i, mQ,mi)}j — > R where 

R=lro = mola II /• {g II b.JncTo.ack.p^) \\ C<°'^'^> || S, 

and 5 = e II [ri = mija || n"=i[(^ • -^Ols stands for the rest of the system. Starting 
from i?, a possible sequence of reductions is the following: 

^(0-l,;S,7+l) II Q 



R 



[ro = mo]3 II b.incQ.ack.pi+i 



'[{Uo II lincQ. co{co[»]} . ack. Uq. co{co[»]} . ack \\ co[G^o 



(-5)1 



b. incQ. ack.pi+i 

mo 



ro 



JJ[/o II linco.co{co[»]}.ack.uo.co{co[»]}.ack \\ co[Gq 



inco- ack. pi+i 

- mo 

ro Yi ^0 II c6{co[»]}- ack. uq. co{co[»]}. ack \\ Rego 



coiGi; 



ack.pi+i 

mo 



(^(a-l,^,7+l> II g 



ro 



Y\_Uo II ack.uo.co{co[»]}.ack \\ Rego \\ co[g'^^] 



^(a-1,/3,7+1) II g 



ack.pi+i 

mo 

WUo II UQ.co{cQ[»\}.ack \\ Rego \\ co[G, 



ro 

pl^ II (^(a-l,/3,7+l> II g 
- mo+1 



(5>1 
J 



n Uo II Rego \\ co[G, 



Pi+i 



(^(a-l,/3,7+l> II ^ _ p 



It is easy to see that P = + 1, mo + 1, mi)]3, as desired. Observe how the number 
of resources changes: in the first reduction, a copy of / is consumed, and a copy 
of g is released in its place. Notice that we are assuming that /3 > 0, that is, that 
there is at least one copy of b. In fact, since the instruction only takes place after a 
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synchronization on b (i.e., the second reduction above) the presence of at least one 
copy of b in C^°^~^'^'^^^'^ is essential to avoid deadlocks. For the same reason, it is 
interesting to observe that in R' the computation can only evolve if incQ synchronizes 
with the replicated input process incQ inside rg. Had it synchronized with the input 
on incQ inside cq, the simulation would have reached a deadlock state, as there are 
no other adaptable processes at cq inside it. 
Case M-Dec: We have a Minsky configuration (i,mo,mi) with mg > and {i : 
DEC(ro,s)). By Definition D.l, its encoding into £^ is as follows: 

N = mols II in = mi]3 II C^"''^'^^ II 
Pi+i) + 



U,mo,mi 



Pi II e 

{a II {uQ-ack. 



co{»}.ro{ro[i?e5o || co[»]]}-Ps)) 



l=l..n,l^i 



We then have: 

[(i,mo,mi)]3 



Ir-o = mols II C<°'^'^> || 

/• {9 II {uq- ack. (b II + 

CQ{»}.rQ{rQ[RegQ \\ co[»]]}-Pl)) || 5" = i? 
rn-ija || nr=il(^ • -^OIb stands for the rest of the system. Starting 



where 5 = e || |ri 
from R, a possible sequence of reductions is the following: 



R 



[ro = mola || || 

[{u^.ack.(b\\pl^) + co{»}.rQ{rQ[Rego \\ cq[»\]} .%)) \\ S 

-rna-l 



Y\ Uo II uo.co{co[»]}.ack \\ Rego \\ co[Gq 



(^(o-l,/3,7+l> 



{{uQ.ack. {b \\ pi+i) + co{»}.ro{ro[Rego \\ co[»]]}-Ps)) II S 

mo-l 



R' 



Y\ Uo II co{co[»]}.ack \\ Rego \\ co[G^' 
S 



^(a-l,/3,7+l> 



ack. {b II pi+i 

- mo-l 



ro 



II o,ck I 
S 



Rego II co[Go 



(--(a-l,/3,7+l> 



acA;. {b \\ p^+i 

mo-l 

JJ Uo II -Re^o II co[G| 



J 



(-,(q-1,/3,7+1> II ^ 



II s 



l-mo— 1 

11% 



-Re^o II co[G| 



J 



^{a-l,/3+l,7+l> II II 5 = p 



It is easy to see that P = |(i + l,nT-o ~ 1)^-1)13) desired. Observe how in the 
last reduction the presence of at least a copy of uq in tq is fundamental for releasing 
both an extra copy of b and the trigger for the next instruction. Notice also that if 
uq in R' synchronizes with uo inside adaptable process cq then, as in the case of the 
increment, the simulation would be deadlocked. 
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Case M-Jmp: We have a Minsky configuration (i,0,mi) and (i : DEC(ro,s)). By 
Definition D.l its encoding into £^ is as follows: 



|(z,mo,mi)|3 



II e II [ro = Ols II In = mi]3 || 
^■Pi- /• {g II {uo- ack. (b II + 



n I 



co{»}.ro{ro[Rego \\ co[»]]}.ps)) 

■ Ii)h 



We then have: 
[(i,mo,mi)]|3 



^ N = Ola II II /. (5 II ack. (b II p^) + 

co{»}.ro{ro[Rego \\ co[«]]}.pl)) || 5" = 

where 5 = e || [n = niijs \\ nr=il(^ • -^OIb stands for the rest of the system. Starting 
from R, a possible sequence of reductions is the following: 

R |ro = Ola II C<"-i'^'^+i> II 

{lM).ack.{b\\pl^) + co{»}.fo{ro[Rego \\ co[»]]}-Pl) II 5* 

= ro[Rego \\ colGi^h] \\ C^-~^'f^'^+^) \\ 

[u^.ack. (b II pl^X) + CQ{»}.fQ{rQ[RegQ \\ co[»]]}.pl) || 5 

r,[Rego \\ c'i^] \\ || f,{ro[Reg, \\ co[.]]}.|^ || S 

-^^ r^[Rego \\ co[Rego \\ || C^»-^'^'^+^> || || 5 

ro[Rego \\ coicj^^]] \\ C^-^'^'^^^) II II ^ = ^ 

It is easy to see that P = |(s,0,mi)l3, as desired. Notice that the first reduction 
results from a synchronization on /. The second reduction arises from an update 
action on cq, which removes that "boundary" for Gg*^^. Finally, the third reduction is 
an update action on ro . We use ~ to denote the extension of structural congruence 
with the axiom In. P \\ Ivr. P = lir. P. 

If {i,mQ,mi) then i corresponds to the HALT instruction. Then, by Definition D.l 

its encoding into £^ is as follows: 

|(z,mo,mi)l3 = Pi II e II Iro = mola II [n = mila II C^"'^'"^^ II 
lpi.Ti.h.co{»}.ro{ro[Rego \\ co[»]]}- 
c~i{.}.n{ri[i?egi II ci[.]]}.pr|| n I(^-^')l3 

l=l..n,l^i 

We then have: [(i, mo, '"11)13 — > R where 

R = lro = moh II In = mil3 || || 

h. h. co{»} . fo{ro[Rego \\ co[»]]} . ci{»} . ri{ri[Regi \\ ci[»]]}.pl || S 
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where S = e || nr=il(^ • -^Ols stands for the rest of the system. Starting from R, a 
possible sequence of reductions is the following: 

R ^* [ro = mols || [n = m,h II C7<"+^'^'^-'=> || S \\ 

co{»}.ro{ro[Rego \\ co[»]]}.ci{»}.fi{ri[Regi \\ ci [•]]}. pi = i^i 

where the output on h in R interacted with process so as to replace c outputs 

on g with c outputs on /. After that, a synchronization on h took place between the 
evolutions of C^^'/^'T^ and of R. We now have: 



Ri 



mo 



l[Uo II Rego \\ G, 



(So) 



mi 



llUiW Regi II ci[gS' 



{Sih 



S 



fo{ro[Rego II co[»]]}.ci{»}.n{n[Regi \\ ci[.]]}.pT \\ C^-+-^^^^-) 



ro 



Rego II co[G, 



(<5o+mo>i 
\ 



ri 



mi 



HUiW Regi II ci[Gf'^] 



S 



Si{»}.n{ri[Regi \\ ci[.]]}.pT || C<"+^'^'^-^> 



ro[Rego \\ co[G<^«+™«>]] | 
fi{ri [Regi \\ ci [•]]}. pi 



mi 



ro 



Co[Lrc 



R^go II '-UL'-^O 

which is easily seen to correspond to 



ri[[]C/i|| Regi \\ g[''^[ 



s 



ri 



Regi 



S 



(1,0,0)]3, and thus mo, mi)]3 JJ.1-. 



□ 



It is straightforward to see that Remark C.4 is valid for [A^Js too. Unsurprisingly, the proof 
concludes following the same lines of the proof of Lemma |7.27 



Lemma D.3 (Completeness). Let N he a MM. If N terminates then [A^Js-IJ-e 
Proof. Recall that is said to terminate if there exists a computation 

(1,0,0) (/i,0,0) 



such that {h : HALT). Lemma D.2 guarantees the existence of a process P such that 
[(1,0,0)]3 — >* P = |(/i,0,0)]3, with P This ensures that every time that the en- 
coding of A^ reaches HALT the simulation is restarted. Therefore, termination of A^ ensures 
that [A^la has an infinite computation: since the encoding always exhibits barb e, we can 
conclude that [A^lsJJ-e • □ 

Lemma D.4 (Soundness). Let N be a MM. If N does not terminate then {NJ^^ . 

Proof. It is enough to prove that if A^ does not terminate (that is, if A^ does not reach 
a HALT instruction) then all the computations of jA^Js are finite. Since the encoding can 
mimic the behavior of A^ both correctly and incorrectly, we have two possible cases: 
(1) In the first case, the simulation of [A^Ja is correct and no erroneous steps are introduced. 
Notice that at every instruction an output on / is consumed permanently: these copies 
of / are only recreated when invoking a HALT instruction, which converts every g into a 
/. Since a HALT instruction is never reached, new copies of / are never recreated, and 
the computation of process [A^Js has necessarily to be finite. 
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(2) In the second case, the simulation is not correct and one or more wrong guesses oc- 
curred in the simulation of a decrement- and-jump instruction. Here, in addition to the 
possibility of deadlocks described in Item (1) above, erroneous computations consti- 
tute another source of deadlocks. In fact, as detailed in Remark |C.4l for each one of 



such wrong guesses a copy of b is permanently lost. Finally, the last source of error is 
represented by a wrong synchronization with incj (in case of an increment) or Uj (in 
case of a decrement) inside the adaptable process cj. As described above, those wrong 
synchronizations lead to a deadlock. An arbitrary number of wrong guesses may thus 
lead to a state in which there are no outputs on b. As discussed at the end of the case of 



the M-Inc in the proof of Lemma D.2 the encoding of an increment instruction reaches 
a deadlock if a copy of b is not available. This means that wrong guesses in simulating 
a decrement-and-jump instruction may induce deadlocks when simulating an increment 
instruction. 

Hence, as all the computations of |A^]3 are finite, therefore [A^Js barb e cannot be exposed 
an infinite number of times. D 



We are now ready to repeat the statement of Lemma |8.2[ in Page 39 



Lemma D.5 (8.2). Let N be a MM. N terminates iff [AjaJj^ 



Proof. It follows directly from Lemmas D.3 and D.4 



□ 



D.2. Proof of Lemma 



8.6 



Here we prove that given an £l process P its associated 
Petri net representation PN(P, 0) faithfully preserves its behavior. We need some auxiliary 
propositions and definitions. The following proposition states how to build a Petri net for 
the parallel composition of two processes starting from the Petri nets of the two processes. 

Proposition D.6. Let Pi and P2 be two 8^ processes with associated Petri nets PN(Pi,0) 



and PN(P25 0)) as in Definition 8.4 Then, the Petri net PN(Pi || P2,$) is defined as: 



PN(Pi II P2,0) = (Places(Pi || P2),Trans(Pi || P2),lnit(Pi || P2)) 



where 



Places(Pi II P2,0) = Places(Pi,0) U Places(P2, 0), 

Trans(Pi || P2, 0) = Trans(Pi, 0) U Trans(P2, 0) U T, 

lnit(Pi II P2) = Init(Pi) tt) lnit(P2) 

with T representing the set of instances of transition schemata in Table that become 
possible due to the interplay of places in Places(Pi,0) and in Places(P2, 0). 

Proof. Immediate from the definitions. □ 

Similarly, the next proposition shows how to obtain the Petri net associated to a[P] 
starting from the one of P. 

Proposition D.7. Let P be an £^ process with associated Petri net PN(P, 0) as in Defini- 
tion 8.4 Then, the Petri net PN (a[P],0) is defined as: 

PN(a[P],0) = (Places(a[P]),Trans(a[P]),lnit(a[P])) 



where: 

• Places(a[P],0) 



{{Q,aa) I (Q,cr) G Places(P, 0)} U {aa | a G Places(P,0)} U{a}. 
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• Trans(a[P]) is obtained from Trans(P, 0) by replacing places in Places(P, 0) with places in 
Places(a[P], 0), as defined above. 

• lnit(a[P]) is obtained from Init(P) by (i) replacing places in Places(P, 0) with places in 
Places(a[P], 0), as defined above, and (ii) adding a token in the place for the adaptable 
process a. 

Proof. Immediate from the definitions. D 

Lemma D.8. Let P and (Places(i-', 0), Trans(P, 0), Init(P)) be an £^ process and its associ- 
ated Petri net, as in Definition \8.4\ Then we have: 

(1) IfP — > P' then deCe(P) tt) {go} deCe{P') tt) {go}. 

(2) //deCe(P) tt) {go} — ^ m tt) {go} then, for some P' , P — > P' and deCs{P') = m 

Proof. The proof of (1) proceeds by induction on the derivation tree of P — > P' , with a 
case analysis on the last applied rule. There are seven cases to check. 
Case (Actl): Then we have P = Pi || P2 and: 

Pi^Pj 
Pi II P2 ^ Pi II P2 



By inductive hypothesis, we have deCe(Pi)tt){5o} — t- dec^{P[)^{go}. By Proposition D.6 



Trans(Pi,0) C Trans(Pi || P2,0). Since by Definition [8J dec^ (Pi || P2) = deQ(Pi) tt) 
dec£(P2), then we can conclude that deCe(P) tt) {go} — > deCe(P') tt) {go} with deCe(P') = 
dec£(P{) tt) deCe(P2). This concludes the proof for this case. 

Case (Act2): Analogous to the case for (ActI) and omitted. 

Case (Loc): Then we have P = a[Pi] and 

Pi^Pj 
a[Pi] -> a[P[] 



By inductive hypothesis, we have dec£(Pi) tt) {go} — )• deCe(P{) tt) {go}. Proposition D.7 



states that Trans(P, 0) is obtained by extending the addresses of places in Trans(Pi,0) 



with name a. Since by Definition 8.4 deCe(a[Pi]) = deCa(Pi) tt) {a} then we can conclude 
that deCe(P) tt) {go} deCe{P') tt) {go} with dec£(P') = deCa(P{) tt) {a}. This concludes 
the proof for this case. 

Cases (Taul)-(Tau2): Then P = Ci[A] \\ C2[B], where Ci,C2 are monadic contexts as 



in Definition 7.11 Moreover, A is either \b. Q or X^ie/ '^i- Qi with iri = b, for some / G /, 
and B is either !6. R or Yliei '^i- with iri = b, for some I € I. 

We consider only the case in which A = Yliei ^i- Qi ^ — ^'1 the other cases are 
similar. Let us denote with a and d the address (with respect to the hole) induced by 
adaptable processes in C\ and C2, respectively. That is, the address of A in C\ is g and 
the address of B in C2 is Q. Then, by construction of the Petri net, there is a token in 
the places (Ylii^i'^i-Qi^^) ™d (!&. P, 0). Therefore, transition 

{go, TTi. Qi, a), R,9)] ^ {go, {lb. R,9)}^ dece{R) W dec^(gO 



(denoted (4) in Table [5]) can fire. By definition of dec (cf. Definition 8.4) it is easy to see 
that this corresponds to deCe(P') tt) {go}. This concludes the proof for this case. 
Cases (Tau3)-(Tau4): Then P = Ci[A] \\ C2[B] where: 
• Ci,C2 are monadic contexts, as in Definition |7. 11 
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• A = b[Pi], for some Pi; 

• B = J2iei^i-^i witli = b{b[U] II P2} for I £ I, or B = lb{b[U] \\ P2}.R, for some 
P2,R. 

We consider the case in which B = \b{b\U] \\ P2}-R] the other case is similar. Let us 
denote with a and 9 the address (with respect to the hole) induced by adaptable processes 
in Ci and C2, respectively. That is, the address of A in Ci is a and the address of B 
in C2 is 9. Then, by construction of the Petri net, we have a token in the places {cr6} 
and (!6{6[f7] || P2}.R,9). At this point, we should distinguish two cases, depending on 
whether ab is contained in 9 or not. Suppose ab is not contained in 9. That is, there is 
no process with the nesting structure of Ci inside C2. Then transition 

{go,ab,{\b{b[U] II P2}.R,9)} {go,{\b{b[U] \\ P2} . R, 9) , ab}^ 

dece{R) tt) dec^(P2) tt) dec^b{U) 

(denoted (8) in Table [5]) can fire. It easy to see that this corresponds to deCe(P') tt) {go} 
and we are done. 

Similarly, if ab is contained in 9 then it means that there exists a process with the 
same structure of Ci inside C2. Therefore, the place ab is duplicated and a token is 
present in both places. Then transition 

{go,ab,ab,{(b{b[U] \\ P2}.R,9),} ^ {go,ab,ab, {\b{b[U] \\P2}.R,9)}^ 

deceiR) tt) dec^(P2) W dec^biU) 

(denoted (9) in Table [5j) can fire. It easy to see that this corresponds to deCe(P') tt) {go} 
and this concludes the proof. 

We now move on the proof of (2), which proceeds by a case analysis on the transition 
fired by the Petri net. The transition schemata in Table [5] can be divided into two groups: 
(1) transitions mimicking a synchronization (i.e., an interaction between an input and an 
output prefix) and (2) transitions mimicking an update action (i.e., an interaction between 
an update prefix and an adaptable process). We consider these two groups separately: 
(1) This group comprises transition schemata (3)-(5) in Table [5j For simplicity we concen- 
trate only on transitions of kind (3), as the others are similar. If a transition of this 
kind can fire, then we have tokens in 

{90, ^{T^i- A, a),J2{Pj- Bj, /3) } 

which, by construction of the Petri net, implies that 

P^D[Y^7T,.A,Y,Pj-Bj] 

iei jeJ 

where D is a biadic context, as in Definition |7.11 After the fire of the transition. 



tokens move to {go} tt) deCa(^;) tt) dec/3(i?m); by construction, this corresponds to a 
process P' = D[Ai,Am], and we are done. 
(2) This group comprises transition schemata (6)-(9) in Table [5] For simplicity, we con- 
centrate only on transitions of kind (6), as the others are similar. If a transition of this 
kind can fire, then we have tokens in 

{90, (^7rj.^i,a),^} 
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which, by construction of the Petri net, implies 

P = D[Y,7^i-Ai,a[Q]] 

where L> is a biadic context, as in Definition |7.11[ After the fire of the transition the 
tokens move to {go} tt) AeCa{Ai) tt) dec/3(j4) l±) Aecpa{U) W {/3a}; by construction, this 
corresponds to a process P' = D[Ai, a[U {{Q))] \\ A], and we are done. □ 

We can now restate Lemma |8.6[ as in Page [41] 



Lemma D.9 (8.6). Let P and (Places(i-', 0), Trans(P, 0), Init(P)) be an £g process and its 
associated Petri net, as in Definition \8.4\ Then we have: 

P^P' ijJdeciP) W {90} ^ dec,(P') W {go}. 



Proof. Immediate from Lemma D.8 



□ 
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